| Copyright | (c) 2013-2023 Brendan Hay |
|---|---|
| License | Mozilla Public License, v. 2.0. |
| Maintainer | Brendan Hay |
| Stability | auto-generated |
| Portability | non-portable (GHC extensions) |
| Safe Haskell | Safe-Inferred |
| Language | Haskell2010 |
Amazonka.NetworkFirewall.Types
Contents
- Service Configuration
- Errors
- AttachmentStatus
- ConfigurationSyncState
- EncryptionType
- FirewallStatusValue
- GeneratedRulesType
- LogDestinationType
- LogType
- OverrideAction
- PerObjectSyncStatus
- ResourceManagedStatus
- ResourceManagedType
- ResourceStatus
- RuleGroupType
- RuleOrder
- StatefulAction
- StatefulRuleDirection
- StatefulRuleProtocol
- StreamExceptionPolicy
- TCPFlag
- TargetType
- ActionDefinition
- Address
- Attachment
- CIDRSummary
- CapacityUsageSummary
- CustomAction
- Dimension
- EncryptionConfiguration
- Firewall
- FirewallMetadata
- FirewallPolicy
- FirewallPolicyMetadata
- FirewallPolicyResponse
- FirewallStatus
- Header
- IPSet
- IPSetMetadata
- IPSetReference
- LogDestinationConfig
- LoggingConfiguration
- MatchAttributes
- PerObjectStatus
- PortRange
- PortSet
- PublishMetricAction
- ReferenceSets
- RuleDefinition
- RuleGroup
- RuleGroupMetadata
- RuleGroupResponse
- RuleOption
- RuleVariables
- RulesSource
- RulesSourceList
- SourceMetadata
- StatefulEngineOptions
- StatefulRule
- StatefulRuleGroupOverride
- StatefulRuleGroupReference
- StatefulRuleOptions
- StatelessRule
- StatelessRuleGroupReference
- StatelessRulesAndCustomActions
- SubnetMapping
- SyncState
- TCPFlagField
- Tag
Description
Synopsis
- defaultService :: Service
- _InsufficientCapacityException :: AsError a => Fold a ServiceError
- _InternalServerError :: AsError a => Fold a ServiceError
- _InvalidOperationException :: AsError a => Fold a ServiceError
- _InvalidRequestException :: AsError a => Fold a ServiceError
- _InvalidResourcePolicyException :: AsError a => Fold a ServiceError
- _InvalidTokenException :: AsError a => Fold a ServiceError
- _LimitExceededException :: AsError a => Fold a ServiceError
- _LogDestinationPermissionException :: AsError a => Fold a ServiceError
- _ResourceNotFoundException :: AsError a => Fold a ServiceError
- _ResourceOwnerCheckException :: AsError a => Fold a ServiceError
- _ThrottlingException :: AsError a => Fold a ServiceError
- _UnsupportedOperationException :: AsError a => Fold a ServiceError
- newtype AttachmentStatus where
- AttachmentStatus' { }
- pattern AttachmentStatus_CREATING :: AttachmentStatus
- pattern AttachmentStatus_DELETING :: AttachmentStatus
- pattern AttachmentStatus_READY :: AttachmentStatus
- pattern AttachmentStatus_SCALING :: AttachmentStatus
- newtype ConfigurationSyncState where
- newtype EncryptionType where
- EncryptionType' { }
- pattern EncryptionType_AWS_OWNED_KMS_KEY :: EncryptionType
- pattern EncryptionType_CUSTOMER_KMS :: EncryptionType
- newtype FirewallStatusValue where
- newtype GeneratedRulesType where
- newtype LogDestinationType where
- newtype LogType where
- LogType' {
- fromLogType :: Text
- pattern LogType_ALERT :: LogType
- pattern LogType_FLOW :: LogType
- LogType' {
- newtype OverrideAction where
- OverrideAction' { }
- pattern OverrideAction_DROP_TO_ALERT :: OverrideAction
- newtype PerObjectSyncStatus where
- newtype ResourceManagedStatus where
- newtype ResourceManagedType where
- newtype ResourceStatus where
- ResourceStatus' { }
- pattern ResourceStatus_ACTIVE :: ResourceStatus
- pattern ResourceStatus_DELETING :: ResourceStatus
- newtype RuleGroupType where
- RuleGroupType' { }
- pattern RuleGroupType_STATEFUL :: RuleGroupType
- pattern RuleGroupType_STATELESS :: RuleGroupType
- newtype RuleOrder where
- RuleOrder' { }
- pattern RuleOrder_DEFAULT_ACTION_ORDER :: RuleOrder
- pattern RuleOrder_STRICT_ORDER :: RuleOrder
- newtype StatefulAction where
- StatefulAction' { }
- pattern StatefulAction_ALERT :: StatefulAction
- pattern StatefulAction_DROP :: StatefulAction
- pattern StatefulAction_PASS :: StatefulAction
- newtype StatefulRuleDirection where
- newtype StatefulRuleProtocol where
- StatefulRuleProtocol' { }
- pattern StatefulRuleProtocol_DCERPC :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_DHCP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_DNS :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_FTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_HTTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_ICMP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_IKEV2 :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_IMAP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_IP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_KRB5 :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_MSN :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_NTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_SMB :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_SMTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_SSH :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_TCP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_TFTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_TLS :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_UDP :: StatefulRuleProtocol
- newtype StreamExceptionPolicy where
- newtype TCPFlag where
- TCPFlag' {
- fromTCPFlag :: Text
- pattern TCPFlag_ACK :: TCPFlag
- pattern TCPFlag_CWR :: TCPFlag
- pattern TCPFlag_ECE :: TCPFlag
- pattern TCPFlag_FIN :: TCPFlag
- pattern TCPFlag_PSH :: TCPFlag
- pattern TCPFlag_RST :: TCPFlag
- pattern TCPFlag_SYN :: TCPFlag
- pattern TCPFlag_URG :: TCPFlag
- TCPFlag' {
- newtype TargetType where
- TargetType' { }
- pattern TargetType_HTTP_HOST :: TargetType
- pattern TargetType_TLS_SNI :: TargetType
- data ActionDefinition = ActionDefinition' {}
- newActionDefinition :: ActionDefinition
- actionDefinition_publishMetricAction :: Lens' ActionDefinition (Maybe PublishMetricAction)
- data Address = Address' {}
- newAddress :: Text -> Address
- address_addressDefinition :: Lens' Address Text
- data Attachment = Attachment' {}
- newAttachment :: Attachment
- attachment_endpointId :: Lens' Attachment (Maybe Text)
- attachment_status :: Lens' Attachment (Maybe AttachmentStatus)
- attachment_statusMessage :: Lens' Attachment (Maybe Text)
- attachment_subnetId :: Lens' Attachment (Maybe Text)
- data CIDRSummary = CIDRSummary' {}
- newCIDRSummary :: CIDRSummary
- cIDRSummary_availableCIDRCount :: Lens' CIDRSummary (Maybe Natural)
- cIDRSummary_iPSetReferences :: Lens' CIDRSummary (Maybe (HashMap Text IPSetMetadata))
- cIDRSummary_utilizedCIDRCount :: Lens' CIDRSummary (Maybe Natural)
- data CapacityUsageSummary = CapacityUsageSummary' {}
- newCapacityUsageSummary :: CapacityUsageSummary
- capacityUsageSummary_cIDRs :: Lens' CapacityUsageSummary (Maybe CIDRSummary)
- data CustomAction = CustomAction' {}
- newCustomAction :: Text -> ActionDefinition -> CustomAction
- customAction_actionName :: Lens' CustomAction Text
- customAction_actionDefinition :: Lens' CustomAction ActionDefinition
- data Dimension = Dimension' {}
- newDimension :: Text -> Dimension
- dimension_value :: Lens' Dimension Text
- data EncryptionConfiguration = EncryptionConfiguration' {
- keyId :: Maybe Text
- type' :: EncryptionType
- newEncryptionConfiguration :: EncryptionType -> EncryptionConfiguration
- encryptionConfiguration_keyId :: Lens' EncryptionConfiguration (Maybe Text)
- encryptionConfiguration_type :: Lens' EncryptionConfiguration EncryptionType
- data Firewall = Firewall' {
- deleteProtection :: Maybe Bool
- description :: Maybe Text
- encryptionConfiguration :: Maybe EncryptionConfiguration
- firewallArn :: Maybe Text
- firewallName :: Maybe Text
- firewallPolicyChangeProtection :: Maybe Bool
- subnetChangeProtection :: Maybe Bool
- tags :: Maybe (NonEmpty Tag)
- firewallPolicyArn :: Text
- vpcId :: Text
- subnetMappings :: [SubnetMapping]
- firewallId :: Text
- newFirewall :: Text -> Text -> Text -> Firewall
- firewall_deleteProtection :: Lens' Firewall (Maybe Bool)
- firewall_description :: Lens' Firewall (Maybe Text)
- firewall_encryptionConfiguration :: Lens' Firewall (Maybe EncryptionConfiguration)
- firewall_firewallArn :: Lens' Firewall (Maybe Text)
- firewall_firewallName :: Lens' Firewall (Maybe Text)
- firewall_firewallPolicyChangeProtection :: Lens' Firewall (Maybe Bool)
- firewall_subnetChangeProtection :: Lens' Firewall (Maybe Bool)
- firewall_tags :: Lens' Firewall (Maybe (NonEmpty Tag))
- firewall_firewallPolicyArn :: Lens' Firewall Text
- firewall_vpcId :: Lens' Firewall Text
- firewall_subnetMappings :: Lens' Firewall [SubnetMapping]
- firewall_firewallId :: Lens' Firewall Text
- data FirewallMetadata = FirewallMetadata' {}
- newFirewallMetadata :: FirewallMetadata
- firewallMetadata_firewallArn :: Lens' FirewallMetadata (Maybe Text)
- firewallMetadata_firewallName :: Lens' FirewallMetadata (Maybe Text)
- data FirewallPolicy = FirewallPolicy' {
- statefulDefaultActions :: Maybe [Text]
- statefulEngineOptions :: Maybe StatefulEngineOptions
- statefulRuleGroupReferences :: Maybe [StatefulRuleGroupReference]
- statelessCustomActions :: Maybe [CustomAction]
- statelessRuleGroupReferences :: Maybe [StatelessRuleGroupReference]
- statelessDefaultActions :: [Text]
- statelessFragmentDefaultActions :: [Text]
- newFirewallPolicy :: FirewallPolicy
- firewallPolicy_statefulDefaultActions :: Lens' FirewallPolicy (Maybe [Text])
- firewallPolicy_statefulEngineOptions :: Lens' FirewallPolicy (Maybe StatefulEngineOptions)
- firewallPolicy_statefulRuleGroupReferences :: Lens' FirewallPolicy (Maybe [StatefulRuleGroupReference])
- firewallPolicy_statelessCustomActions :: Lens' FirewallPolicy (Maybe [CustomAction])
- firewallPolicy_statelessRuleGroupReferences :: Lens' FirewallPolicy (Maybe [StatelessRuleGroupReference])
- firewallPolicy_statelessDefaultActions :: Lens' FirewallPolicy [Text]
- firewallPolicy_statelessFragmentDefaultActions :: Lens' FirewallPolicy [Text]
- data FirewallPolicyMetadata = FirewallPolicyMetadata' {}
- newFirewallPolicyMetadata :: FirewallPolicyMetadata
- firewallPolicyMetadata_arn :: Lens' FirewallPolicyMetadata (Maybe Text)
- firewallPolicyMetadata_name :: Lens' FirewallPolicyMetadata (Maybe Text)
- data FirewallPolicyResponse = FirewallPolicyResponse' {
- consumedStatefulRuleCapacity :: Maybe Int
- consumedStatelessRuleCapacity :: Maybe Int
- description :: Maybe Text
- encryptionConfiguration :: Maybe EncryptionConfiguration
- firewallPolicyStatus :: Maybe ResourceStatus
- lastModifiedTime :: Maybe POSIX
- numberOfAssociations :: Maybe Int
- tags :: Maybe (NonEmpty Tag)
- firewallPolicyName :: Text
- firewallPolicyArn :: Text
- firewallPolicyId :: Text
- newFirewallPolicyResponse :: Text -> Text -> Text -> FirewallPolicyResponse
- firewallPolicyResponse_consumedStatefulRuleCapacity :: Lens' FirewallPolicyResponse (Maybe Int)
- firewallPolicyResponse_consumedStatelessRuleCapacity :: Lens' FirewallPolicyResponse (Maybe Int)
- firewallPolicyResponse_description :: Lens' FirewallPolicyResponse (Maybe Text)
- firewallPolicyResponse_encryptionConfiguration :: Lens' FirewallPolicyResponse (Maybe EncryptionConfiguration)
- firewallPolicyResponse_firewallPolicyStatus :: Lens' FirewallPolicyResponse (Maybe ResourceStatus)
- firewallPolicyResponse_lastModifiedTime :: Lens' FirewallPolicyResponse (Maybe UTCTime)
- firewallPolicyResponse_numberOfAssociations :: Lens' FirewallPolicyResponse (Maybe Int)
- firewallPolicyResponse_tags :: Lens' FirewallPolicyResponse (Maybe (NonEmpty Tag))
- firewallPolicyResponse_firewallPolicyName :: Lens' FirewallPolicyResponse Text
- firewallPolicyResponse_firewallPolicyArn :: Lens' FirewallPolicyResponse Text
- firewallPolicyResponse_firewallPolicyId :: Lens' FirewallPolicyResponse Text
- data FirewallStatus = FirewallStatus' {}
- newFirewallStatus :: FirewallStatusValue -> ConfigurationSyncState -> FirewallStatus
- firewallStatus_capacityUsageSummary :: Lens' FirewallStatus (Maybe CapacityUsageSummary)
- firewallStatus_syncStates :: Lens' FirewallStatus (Maybe (HashMap Text SyncState))
- firewallStatus_status :: Lens' FirewallStatus FirewallStatusValue
- firewallStatus_configurationSyncStateSummary :: Lens' FirewallStatus ConfigurationSyncState
- data Header = Header' {}
- newHeader :: StatefulRuleProtocol -> Text -> Text -> StatefulRuleDirection -> Text -> Text -> Header
- header_protocol :: Lens' Header StatefulRuleProtocol
- header_source :: Lens' Header Text
- header_sourcePort :: Lens' Header Text
- header_direction :: Lens' Header StatefulRuleDirection
- header_destination :: Lens' Header Text
- header_destinationPort :: Lens' Header Text
- data IPSet = IPSet' {
- definition :: [Text]
- newIPSet :: IPSet
- iPSet_definition :: Lens' IPSet [Text]
- data IPSetMetadata = IPSetMetadata' {}
- newIPSetMetadata :: IPSetMetadata
- iPSetMetadata_resolvedCIDRCount :: Lens' IPSetMetadata (Maybe Natural)
- data IPSetReference = IPSetReference' {}
- newIPSetReference :: IPSetReference
- iPSetReference_referenceArn :: Lens' IPSetReference (Maybe Text)
- data LogDestinationConfig = LogDestinationConfig' {}
- newLogDestinationConfig :: LogType -> LogDestinationType -> LogDestinationConfig
- logDestinationConfig_logType :: Lens' LogDestinationConfig LogType
- logDestinationConfig_logDestinationType :: Lens' LogDestinationConfig LogDestinationType
- logDestinationConfig_logDestination :: Lens' LogDestinationConfig (HashMap Text Text)
- data LoggingConfiguration = LoggingConfiguration' {}
- newLoggingConfiguration :: LoggingConfiguration
- loggingConfiguration_logDestinationConfigs :: Lens' LoggingConfiguration [LogDestinationConfig]
- data MatchAttributes = MatchAttributes' {
- destinationPorts :: Maybe [PortRange]
- destinations :: Maybe [Address]
- protocols :: Maybe [Natural]
- sourcePorts :: Maybe [PortRange]
- sources :: Maybe [Address]
- tCPFlags :: Maybe [TCPFlagField]
- newMatchAttributes :: MatchAttributes
- matchAttributes_destinationPorts :: Lens' MatchAttributes (Maybe [PortRange])
- matchAttributes_destinations :: Lens' MatchAttributes (Maybe [Address])
- matchAttributes_protocols :: Lens' MatchAttributes (Maybe [Natural])
- matchAttributes_sourcePorts :: Lens' MatchAttributes (Maybe [PortRange])
- matchAttributes_sources :: Lens' MatchAttributes (Maybe [Address])
- matchAttributes_tCPFlags :: Lens' MatchAttributes (Maybe [TCPFlagField])
- data PerObjectStatus = PerObjectStatus' {}
- newPerObjectStatus :: PerObjectStatus
- perObjectStatus_syncStatus :: Lens' PerObjectStatus (Maybe PerObjectSyncStatus)
- perObjectStatus_updateToken :: Lens' PerObjectStatus (Maybe Text)
- data PortRange = PortRange' {}
- newPortRange :: Natural -> Natural -> PortRange
- portRange_fromPort :: Lens' PortRange Natural
- portRange_toPort :: Lens' PortRange Natural
- data PortSet = PortSet' {
- definition :: Maybe [Text]
- newPortSet :: PortSet
- portSet_definition :: Lens' PortSet (Maybe [Text])
- data PublishMetricAction = PublishMetricAction' {}
- newPublishMetricAction :: NonEmpty Dimension -> PublishMetricAction
- publishMetricAction_dimensions :: Lens' PublishMetricAction (NonEmpty Dimension)
- data ReferenceSets = ReferenceSets' {}
- newReferenceSets :: ReferenceSets
- referenceSets_iPSetReferences :: Lens' ReferenceSets (Maybe (HashMap Text IPSetReference))
- data RuleDefinition = RuleDefinition' {}
- newRuleDefinition :: MatchAttributes -> RuleDefinition
- ruleDefinition_matchAttributes :: Lens' RuleDefinition MatchAttributes
- ruleDefinition_actions :: Lens' RuleDefinition [Text]
- data RuleGroup = RuleGroup' {}
- newRuleGroup :: RulesSource -> RuleGroup
- ruleGroup_referenceSets :: Lens' RuleGroup (Maybe ReferenceSets)
- ruleGroup_ruleVariables :: Lens' RuleGroup (Maybe RuleVariables)
- ruleGroup_statefulRuleOptions :: Lens' RuleGroup (Maybe StatefulRuleOptions)
- ruleGroup_rulesSource :: Lens' RuleGroup RulesSource
- data RuleGroupMetadata = RuleGroupMetadata' {}
- newRuleGroupMetadata :: RuleGroupMetadata
- ruleGroupMetadata_arn :: Lens' RuleGroupMetadata (Maybe Text)
- ruleGroupMetadata_name :: Lens' RuleGroupMetadata (Maybe Text)
- data RuleGroupResponse = RuleGroupResponse' {
- capacity :: Maybe Int
- consumedCapacity :: Maybe Int
- description :: Maybe Text
- encryptionConfiguration :: Maybe EncryptionConfiguration
- lastModifiedTime :: Maybe POSIX
- numberOfAssociations :: Maybe Int
- ruleGroupStatus :: Maybe ResourceStatus
- snsTopic :: Maybe Text
- sourceMetadata :: Maybe SourceMetadata
- tags :: Maybe (NonEmpty Tag)
- type' :: Maybe RuleGroupType
- ruleGroupArn :: Text
- ruleGroupName :: Text
- ruleGroupId :: Text
- newRuleGroupResponse :: Text -> Text -> Text -> RuleGroupResponse
- ruleGroupResponse_capacity :: Lens' RuleGroupResponse (Maybe Int)
- ruleGroupResponse_consumedCapacity :: Lens' RuleGroupResponse (Maybe Int)
- ruleGroupResponse_description :: Lens' RuleGroupResponse (Maybe Text)
- ruleGroupResponse_encryptionConfiguration :: Lens' RuleGroupResponse (Maybe EncryptionConfiguration)
- ruleGroupResponse_lastModifiedTime :: Lens' RuleGroupResponse (Maybe UTCTime)
- ruleGroupResponse_numberOfAssociations :: Lens' RuleGroupResponse (Maybe Int)
- ruleGroupResponse_ruleGroupStatus :: Lens' RuleGroupResponse (Maybe ResourceStatus)
- ruleGroupResponse_snsTopic :: Lens' RuleGroupResponse (Maybe Text)
- ruleGroupResponse_sourceMetadata :: Lens' RuleGroupResponse (Maybe SourceMetadata)
- ruleGroupResponse_tags :: Lens' RuleGroupResponse (Maybe (NonEmpty Tag))
- ruleGroupResponse_type :: Lens' RuleGroupResponse (Maybe RuleGroupType)
- ruleGroupResponse_ruleGroupArn :: Lens' RuleGroupResponse Text
- ruleGroupResponse_ruleGroupName :: Lens' RuleGroupResponse Text
- ruleGroupResponse_ruleGroupId :: Lens' RuleGroupResponse Text
- data RuleOption = RuleOption' {}
- newRuleOption :: Text -> RuleOption
- ruleOption_settings :: Lens' RuleOption (Maybe [Text])
- ruleOption_keyword :: Lens' RuleOption Text
- data RuleVariables = RuleVariables' {}
- newRuleVariables :: RuleVariables
- ruleVariables_iPSets :: Lens' RuleVariables (Maybe (HashMap Text IPSet))
- ruleVariables_portSets :: Lens' RuleVariables (Maybe (HashMap Text PortSet))
- data RulesSource = RulesSource' {}
- newRulesSource :: RulesSource
- rulesSource_rulesSourceList :: Lens' RulesSource (Maybe RulesSourceList)
- rulesSource_rulesString :: Lens' RulesSource (Maybe Text)
- rulesSource_statefulRules :: Lens' RulesSource (Maybe [StatefulRule])
- rulesSource_statelessRulesAndCustomActions :: Lens' RulesSource (Maybe StatelessRulesAndCustomActions)
- data RulesSourceList = RulesSourceList' {}
- newRulesSourceList :: GeneratedRulesType -> RulesSourceList
- rulesSourceList_targets :: Lens' RulesSourceList [Text]
- rulesSourceList_targetTypes :: Lens' RulesSourceList [TargetType]
- rulesSourceList_generatedRulesType :: Lens' RulesSourceList GeneratedRulesType
- data SourceMetadata = SourceMetadata' {}
- newSourceMetadata :: SourceMetadata
- sourceMetadata_sourceArn :: Lens' SourceMetadata (Maybe Text)
- sourceMetadata_sourceUpdateToken :: Lens' SourceMetadata (Maybe Text)
- data StatefulEngineOptions = StatefulEngineOptions' {}
- newStatefulEngineOptions :: StatefulEngineOptions
- statefulEngineOptions_ruleOrder :: Lens' StatefulEngineOptions (Maybe RuleOrder)
- statefulEngineOptions_streamExceptionPolicy :: Lens' StatefulEngineOptions (Maybe StreamExceptionPolicy)
- data StatefulRule = StatefulRule' {
- action :: StatefulAction
- header :: Header
- ruleOptions :: [RuleOption]
- newStatefulRule :: StatefulAction -> Header -> StatefulRule
- statefulRule_action :: Lens' StatefulRule StatefulAction
- statefulRule_header :: Lens' StatefulRule Header
- statefulRule_ruleOptions :: Lens' StatefulRule [RuleOption]
- data StatefulRuleGroupOverride = StatefulRuleGroupOverride' {}
- newStatefulRuleGroupOverride :: StatefulRuleGroupOverride
- statefulRuleGroupOverride_action :: Lens' StatefulRuleGroupOverride (Maybe OverrideAction)
- data StatefulRuleGroupReference = StatefulRuleGroupReference' {}
- newStatefulRuleGroupReference :: Text -> StatefulRuleGroupReference
- statefulRuleGroupReference_override :: Lens' StatefulRuleGroupReference (Maybe StatefulRuleGroupOverride)
- statefulRuleGroupReference_priority :: Lens' StatefulRuleGroupReference (Maybe Natural)
- statefulRuleGroupReference_resourceArn :: Lens' StatefulRuleGroupReference Text
- data StatefulRuleOptions = StatefulRuleOptions' {}
- newStatefulRuleOptions :: StatefulRuleOptions
- statefulRuleOptions_ruleOrder :: Lens' StatefulRuleOptions (Maybe RuleOrder)
- data StatelessRule = StatelessRule' {}
- newStatelessRule :: RuleDefinition -> Natural -> StatelessRule
- statelessRule_ruleDefinition :: Lens' StatelessRule RuleDefinition
- statelessRule_priority :: Lens' StatelessRule Natural
- data StatelessRuleGroupReference = StatelessRuleGroupReference' {
- resourceArn :: Text
- priority :: Natural
- newStatelessRuleGroupReference :: Text -> Natural -> StatelessRuleGroupReference
- statelessRuleGroupReference_resourceArn :: Lens' StatelessRuleGroupReference Text
- statelessRuleGroupReference_priority :: Lens' StatelessRuleGroupReference Natural
- data StatelessRulesAndCustomActions = StatelessRulesAndCustomActions' {}
- newStatelessRulesAndCustomActions :: StatelessRulesAndCustomActions
- statelessRulesAndCustomActions_customActions :: Lens' StatelessRulesAndCustomActions (Maybe [CustomAction])
- statelessRulesAndCustomActions_statelessRules :: Lens' StatelessRulesAndCustomActions [StatelessRule]
- data SubnetMapping = SubnetMapping' {}
- newSubnetMapping :: Text -> SubnetMapping
- subnetMapping_subnetId :: Lens' SubnetMapping Text
- data SyncState = SyncState' {}
- newSyncState :: SyncState
- syncState_attachment :: Lens' SyncState (Maybe Attachment)
- syncState_config :: Lens' SyncState (Maybe (HashMap Text PerObjectStatus))
- data TCPFlagField = TCPFlagField' {}
- newTCPFlagField :: TCPFlagField
- tCPFlagField_masks :: Lens' TCPFlagField (Maybe [TCPFlag])
- tCPFlagField_flags :: Lens' TCPFlagField [TCPFlag]
- data Tag = Tag' {}
- newTag :: Text -> Text -> Tag
- tag_key :: Lens' Tag Text
- tag_value :: Lens' Tag Text
Service Configuration
defaultService :: Service Source #
API version 2020-11-12 of the Amazon Network Firewall SDK configuration.
Errors
_InsufficientCapacityException :: AsError a => Fold a ServiceError Source #
Amazon Web Services doesn't currently have enough available capacity to fulfill your request. Try your request later.
_InternalServerError :: AsError a => Fold a ServiceError Source #
Your request is valid, but Network Firewall couldn’t perform the operation because of a system problem. Retry your request.
_InvalidOperationException :: AsError a => Fold a ServiceError Source #
The operation failed because it's not valid. For example, you might have tried to delete a rule group or firewall policy that's in use.
_InvalidRequestException :: AsError a => Fold a ServiceError Source #
The operation failed because of a problem with your request. Examples include:
- You specified an unsupported parameter name or value.
- You tried to update a property with a value that isn't among the available types.
- Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in the context of the request.
_InvalidResourcePolicyException :: AsError a => Fold a ServiceError Source #
The policy statement failed validation.
_InvalidTokenException :: AsError a => Fold a ServiceError Source #
The token you provided is stale or isn't valid for the operation.
_LimitExceededException :: AsError a => Fold a ServiceError Source #
Unable to perform the operation because doing so would violate a limit setting.
_LogDestinationPermissionException :: AsError a => Fold a ServiceError Source #
Unable to send logs to a configured logging destination.
_ResourceNotFoundException :: AsError a => Fold a ServiceError Source #
Unable to locate a resource using the parameters that you provided.
_ResourceOwnerCheckException :: AsError a => Fold a ServiceError Source #
Unable to change the resource because your account doesn't own it.
_ThrottlingException :: AsError a => Fold a ServiceError Source #
Unable to process the request due to throttling limitations.
_UnsupportedOperationException :: AsError a => Fold a ServiceError Source #
The operation you requested isn't supported by Network Firewall.
AttachmentStatus
newtype AttachmentStatus Source #
Constructors
| AttachmentStatus' | |
Fields | |
Bundled Patterns
| pattern AttachmentStatus_CREATING :: AttachmentStatus | |
| pattern AttachmentStatus_DELETING :: AttachmentStatus | |
| pattern AttachmentStatus_READY :: AttachmentStatus | |
| pattern AttachmentStatus_SCALING :: AttachmentStatus |
Instances
ConfigurationSyncState
newtype ConfigurationSyncState Source #
Constructors
| ConfigurationSyncState' | |
Fields | |
Bundled Patterns
Instances
EncryptionType
newtype EncryptionType Source #
Constructors
| EncryptionType' | |
Fields | |
Bundled Patterns
| pattern EncryptionType_AWS_OWNED_KMS_KEY :: EncryptionType | |
| pattern EncryptionType_CUSTOMER_KMS :: EncryptionType |
Instances
FirewallStatusValue
newtype FirewallStatusValue Source #
Constructors
| FirewallStatusValue' | |
Fields | |
Bundled Patterns
| pattern FirewallStatusValue_DELETING :: FirewallStatusValue | |
| pattern FirewallStatusValue_PROVISIONING :: FirewallStatusValue | |
| pattern FirewallStatusValue_READY :: FirewallStatusValue |
Instances
GeneratedRulesType
newtype GeneratedRulesType Source #
Constructors
| GeneratedRulesType' | |
Fields | |
Bundled Patterns
| pattern GeneratedRulesType_ALLOWLIST :: GeneratedRulesType | |
| pattern GeneratedRulesType_DENYLIST :: GeneratedRulesType |
Instances
LogDestinationType
newtype LogDestinationType Source #
Constructors
| LogDestinationType' | |
Fields | |
Bundled Patterns
| pattern LogDestinationType_CloudWatchLogs :: LogDestinationType | |
| pattern LogDestinationType_KinesisDataFirehose :: LogDestinationType | |
| pattern LogDestinationType_S3 :: LogDestinationType |
Instances
LogType
Constructors
| LogType' | |
Fields
| |
Bundled Patterns
| pattern LogType_ALERT :: LogType | |
| pattern LogType_FLOW :: LogType |
Instances
OverrideAction
newtype OverrideAction Source #
Constructors
| OverrideAction' | |
Fields | |
Bundled Patterns
| pattern OverrideAction_DROP_TO_ALERT :: OverrideAction |
Instances
PerObjectSyncStatus
newtype PerObjectSyncStatus Source #
Constructors
| PerObjectSyncStatus' | |
Fields | |
Bundled Patterns
| pattern PerObjectSyncStatus_CAPACITY_CONSTRAINED :: PerObjectSyncStatus | |
| pattern PerObjectSyncStatus_IN_SYNC :: PerObjectSyncStatus | |
| pattern PerObjectSyncStatus_PENDING :: PerObjectSyncStatus |
Instances
ResourceManagedStatus
newtype ResourceManagedStatus Source #
Constructors
| ResourceManagedStatus' | |
Fields | |
Bundled Patterns
| pattern ResourceManagedStatus_ACCOUNT :: ResourceManagedStatus | |
| pattern ResourceManagedStatus_MANAGED :: ResourceManagedStatus |
Instances
ResourceManagedType
newtype ResourceManagedType Source #
Constructors
| ResourceManagedType' | |
Fields | |
Bundled Patterns
| pattern ResourceManagedType_AWS_MANAGED_DOMAIN_LISTS :: ResourceManagedType | |
| pattern ResourceManagedType_AWS_MANAGED_THREAT_SIGNATURES :: ResourceManagedType |
Instances
ResourceStatus
newtype ResourceStatus Source #
Constructors
| ResourceStatus' | |
Fields | |
Bundled Patterns
| pattern ResourceStatus_ACTIVE :: ResourceStatus | |
| pattern ResourceStatus_DELETING :: ResourceStatus |
Instances
RuleGroupType
newtype RuleGroupType Source #
Constructors
| RuleGroupType' | |
Fields | |
Bundled Patterns
| pattern RuleGroupType_STATEFUL :: RuleGroupType | |
| pattern RuleGroupType_STATELESS :: RuleGroupType |
Instances
RuleOrder
Constructors
| RuleOrder' | |
Fields | |
Bundled Patterns
| pattern RuleOrder_DEFAULT_ACTION_ORDER :: RuleOrder | |
| pattern RuleOrder_STRICT_ORDER :: RuleOrder |
Instances
StatefulAction
newtype StatefulAction Source #
Constructors
| StatefulAction' | |
Fields | |
Bundled Patterns
| pattern StatefulAction_ALERT :: StatefulAction | |
| pattern StatefulAction_DROP :: StatefulAction | |
| pattern StatefulAction_PASS :: StatefulAction |
Instances
StatefulRuleDirection
newtype StatefulRuleDirection Source #
Constructors
| StatefulRuleDirection' | |
Fields | |
Bundled Patterns
| pattern StatefulRuleDirection_ANY :: StatefulRuleDirection | |
| pattern StatefulRuleDirection_FORWARD :: StatefulRuleDirection |
Instances
StatefulRuleProtocol
newtype StatefulRuleProtocol Source #
Constructors
| StatefulRuleProtocol' | |
Fields | |
Bundled Patterns
Instances
StreamExceptionPolicy
newtype StreamExceptionPolicy Source #
Constructors
| StreamExceptionPolicy' | |
Fields | |
Bundled Patterns
| pattern StreamExceptionPolicy_CONTINUE :: StreamExceptionPolicy | |
| pattern StreamExceptionPolicy_DROP :: StreamExceptionPolicy |
Instances
TCPFlag
Constructors
| TCPFlag' | |
Fields
| |
Bundled Patterns
| pattern TCPFlag_ACK :: TCPFlag | |
| pattern TCPFlag_CWR :: TCPFlag | |
| pattern TCPFlag_ECE :: TCPFlag | |
| pattern TCPFlag_FIN :: TCPFlag | |
| pattern TCPFlag_PSH :: TCPFlag | |
| pattern TCPFlag_RST :: TCPFlag | |
| pattern TCPFlag_SYN :: TCPFlag | |
| pattern TCPFlag_URG :: TCPFlag |
Instances
TargetType
newtype TargetType Source #
Constructors
| TargetType' | |
Fields | |
Bundled Patterns
| pattern TargetType_HTTP_HOST :: TargetType | |
| pattern TargetType_TLS_SNI :: TargetType |
Instances
ActionDefinition
data ActionDefinition Source #
A custom action to use in stateless rule actions settings. This is used in CustomAction.
See: newActionDefinition smart constructor.
Constructors
| ActionDefinition' | |
Fields
| |
Instances
newActionDefinition :: ActionDefinition Source #
Create a value of ActionDefinition with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:publishMetricAction:ActionDefinition', actionDefinition_publishMetricAction - Stateless inspection criteria that publishes the specified metrics to
Amazon CloudWatch for the matching packet. This setting defines a
CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
actionDefinition_publishMetricAction :: Lens' ActionDefinition (Maybe PublishMetricAction) Source #
Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
Address
A single IP address specification. This is used in the MatchAttributes source and destination specifications.
See: newAddress smart constructor.
Constructors
| Address' | |
Fields
| |
Instances
| FromJSON Address Source # | |
| ToJSON Address Source # | |
Defined in Amazonka.NetworkFirewall.Types.Address | |
| Generic Address Source # | |
| Read Address Source # | |
| Show Address Source # | |
| NFData Address Source # | |
Defined in Amazonka.NetworkFirewall.Types.Address | |
| Eq Address Source # | |
| Hashable Address Source # | |
Defined in Amazonka.NetworkFirewall.Types.Address | |
| type Rep Address Source # | |
Defined in Amazonka.NetworkFirewall.Types.Address type Rep Address = D1 ('MetaData "Address" "Amazonka.NetworkFirewall.Types.Address" "amazonka-network-firewall-2.0-4y6HybZBSNcEwGPO5AYVfm" 'False) (C1 ('MetaCons "Address'" 'PrefixI 'True) (S1 ('MetaSel ('Just "addressDefinition") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text))) | |
Create a value of Address with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:addressDefinition:Address', address_addressDefinition - Specify an IP address or a block of IP addresses in Classless
Inter-Domain Routing (CIDR) notation. Network Firewall supports all
address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
address_addressDefinition :: Lens' Address Text Source #
Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
Attachment
data Attachment Source #
The configuration and status for a single subnet that you've specified for use by the Network Firewall firewall. This is part of the FirewallStatus.
See: newAttachment smart constructor.
Constructors
| Attachment' | |
Fields
| |
Instances
newAttachment :: Attachment Source #
Create a value of Attachment with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:endpointId:Attachment', attachment_endpointId - The identifier of the firewall endpoint that Network Firewall has
instantiated in the subnet. You use this to identify the firewall
endpoint in the VPC route tables, when you redirect the VPC traffic
through the endpoint.
$sel:status:Attachment', attachment_status - The current status of the firewall endpoint in the subnet. This value
reflects both the instantiation of the endpoint in the VPC subnet and
the sync states that are reported in the Config settings. When this
value is READY, the endpoint is available and configured properly to
handle network traffic. When the endpoint isn't available for traffic,
this value will reflect its state, for example CREATING or DELETING.
$sel:statusMessage:Attachment', attachment_statusMessage - If Network Firewall fails to create or delete the firewall endpoint in
the subnet, it populates this with the reason for the failure and how to
resolve it. Depending on the error, it can take as many as 15 minutes to
populate this field. For more information about the errors and solutions
available for this field, see
Troubleshooting firewall endpoint failures
in the Network Firewall Developer Guide.
$sel:subnetId:Attachment', attachment_subnetId - The unique identifier of the subnet that you've specified to be used
for a firewall endpoint.
attachment_endpointId :: Lens' Attachment (Maybe Text) Source #
The identifier of the firewall endpoint that Network Firewall has instantiated in the subnet. You use this to identify the firewall endpoint in the VPC route tables, when you redirect the VPC traffic through the endpoint.
attachment_status :: Lens' Attachment (Maybe AttachmentStatus) Source #
The current status of the firewall endpoint in the subnet. This value
reflects both the instantiation of the endpoint in the VPC subnet and
the sync states that are reported in the Config settings. When this
value is READY, the endpoint is available and configured properly to
handle network traffic. When the endpoint isn't available for traffic,
this value will reflect its state, for example CREATING or DELETING.
attachment_statusMessage :: Lens' Attachment (Maybe Text) Source #
If Network Firewall fails to create or delete the firewall endpoint in the subnet, it populates this with the reason for the failure and how to resolve it. Depending on the error, it can take as many as 15 minutes to populate this field. For more information about the errors and solutions available for this field, see Troubleshooting firewall endpoint failures in the Network Firewall Developer Guide.
attachment_subnetId :: Lens' Attachment (Maybe Text) Source #
The unique identifier of the subnet that you've specified to be used for a firewall endpoint.
CIDRSummary
data CIDRSummary Source #
Summarizes the CIDR blocks used by the IP set references in a firewall. Network Firewall calculates the number of CIDRs by taking an aggregated count of all CIDRs used by the IP sets you are referencing.
See: newCIDRSummary smart constructor.
Constructors
| CIDRSummary' | |
Fields
| |
Instances
newCIDRSummary :: CIDRSummary Source #
Create a value of CIDRSummary with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:availableCIDRCount:CIDRSummary', cIDRSummary_availableCIDRCount - The number of CIDR blocks available for use by the IP set references in
a firewall.
$sel:iPSetReferences:CIDRSummary', cIDRSummary_iPSetReferences - The list of the IP set references used by a firewall.
$sel:utilizedCIDRCount:CIDRSummary', cIDRSummary_utilizedCIDRCount - The number of CIDR blocks used by the IP set references in a firewall.
cIDRSummary_availableCIDRCount :: Lens' CIDRSummary (Maybe Natural) Source #
The number of CIDR blocks available for use by the IP set references in a firewall.
cIDRSummary_iPSetReferences :: Lens' CIDRSummary (Maybe (HashMap Text IPSetMetadata)) Source #
The list of the IP set references used by a firewall.
cIDRSummary_utilizedCIDRCount :: Lens' CIDRSummary (Maybe Natural) Source #
The number of CIDR blocks used by the IP set references in a firewall.
CapacityUsageSummary
data CapacityUsageSummary Source #
The capacity usage summary of the resources used by the ReferenceSets in a firewall.
See: newCapacityUsageSummary smart constructor.
Constructors
| CapacityUsageSummary' | |
Fields
| |
Instances
newCapacityUsageSummary :: CapacityUsageSummary Source #
Create a value of CapacityUsageSummary with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:cIDRs:CapacityUsageSummary', capacityUsageSummary_cIDRs - Describes the capacity usage of the CIDR blocks used by the IP set
references in a firewall.
capacityUsageSummary_cIDRs :: Lens' CapacityUsageSummary (Maybe CIDRSummary) Source #
Describes the capacity usage of the CIDR blocks used by the IP set references in a firewall.
CustomAction
data CustomAction Source #
An optional, non-standard action to use for stateless packet handling. You can define this in addition to the standard action that you must specify.
You define and name the custom actions that you want to be able to use, and then you reference them by name in your actions settings.
You can use custom actions in the following places:
- In a rule group's StatelessRulesAndCustomActions specification. The
custom actions are available for use by name inside the
StatelessRulesAndCustomActionswhere you define them. You can use them for your stateless rule actions to specify what to do with a packet that matches the rule's match attributes. - In a FirewallPolicy specification, in
StatelessCustomActions. The custom actions are available for use inside the policy where you define them. You can use them for the policy's default stateless actions settings to specify what to do with packets that don't match any of the policy's stateless rules.
See: newCustomAction smart constructor.
Constructors
| CustomAction' | |
Fields
| |
Instances
Arguments
| :: Text | |
| -> ActionDefinition | |
| -> CustomAction |
Create a value of CustomAction with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:actionName:CustomAction', customAction_actionName - The descriptive name of the custom action. You can't change the name of
a custom action after you create it.
$sel:actionDefinition:CustomAction', customAction_actionDefinition - The custom action associated with the action name.
customAction_actionName :: Lens' CustomAction Text Source #
The descriptive name of the custom action. You can't change the name of a custom action after you create it.
customAction_actionDefinition :: Lens' CustomAction ActionDefinition Source #
The custom action associated with the action name.
Dimension
The value to use in an Amazon CloudWatch custom metric dimension. This
is used in the PublishMetrics CustomAction. A CloudWatch custom metric
dimension is a name/value pair that's part of the identity of a
metric.
Network Firewall sets the dimension name to CustomAction and you
provide the dimension value.
For more information about CloudWatch custom metric dimensions, see Publishing Custom Metrics in the Amazon CloudWatch User Guide.
See: newDimension smart constructor.
Constructors
| Dimension' | |
Instances
| FromJSON Dimension Source # | |
| ToJSON Dimension Source # | |
Defined in Amazonka.NetworkFirewall.Types.Dimension | |
| Generic Dimension Source # | |
| Read Dimension Source # | |
| Show Dimension Source # | |
| NFData Dimension Source # | |
Defined in Amazonka.NetworkFirewall.Types.Dimension | |
| Eq Dimension Source # | |
| Hashable Dimension Source # | |
Defined in Amazonka.NetworkFirewall.Types.Dimension | |
| type Rep Dimension Source # | |
Defined in Amazonka.NetworkFirewall.Types.Dimension | |
Create a value of Dimension with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:value:Dimension', dimension_value - The value to use in the custom metric dimension.
EncryptionConfiguration
data EncryptionConfiguration Source #
A complex type that contains optional Amazon Web Services Key Management Service (KMS) encryption settings for your Network Firewall resources. Your data is encrypted by default with an Amazon Web Services owned key that Amazon Web Services owns and manages for you. You can use either the Amazon Web Services owned key, or provide your own customer managed key. To learn more about KMS encryption of your Network Firewall resources, see Encryption at rest with Amazon Web Services Key Managment Service in the Network Firewall Developer Guide.
See: newEncryptionConfiguration smart constructor.
Constructors
| EncryptionConfiguration' | |
Fields
| |
Instances
newEncryptionConfiguration Source #
Create a value of EncryptionConfiguration with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:keyId:EncryptionConfiguration', encryptionConfiguration_keyId - The ID of the Amazon Web Services Key Management Service (KMS) customer
managed key. You can use any of the key identifiers that KMS supports,
unless you're using a key that's managed by another account. If
you're using a key managed by another account, then specify the key
ARN. For more information, see
Key ID
in the Amazon Web Services KMS Developer Guide.
$sel:type':EncryptionConfiguration', encryptionConfiguration_type - The type of Amazon Web Services KMS key to use for encryption of your
Network Firewall resources.
encryptionConfiguration_keyId :: Lens' EncryptionConfiguration (Maybe Text) Source #
The ID of the Amazon Web Services Key Management Service (KMS) customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN. For more information, see Key ID in the Amazon Web Services KMS Developer Guide.
encryptionConfiguration_type :: Lens' EncryptionConfiguration EncryptionType Source #
The type of Amazon Web Services KMS key to use for encryption of your Network Firewall resources.
Firewall
The firewall defines the configuration settings for an Network Firewall firewall. These settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall Amazon Web Services resource.
The status of the firewall, for example whether it's ready to filter network traffic, is provided in the corresponding FirewallStatus. You can retrieve both objects by calling DescribeFirewall.
See: newFirewall smart constructor.
Constructors
| Firewall' | |
Fields
| |
Instances
Create a value of Firewall with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:deleteProtection:Firewall', firewall_deleteProtection - A flag indicating whether it is possible to delete the firewall. A
setting of TRUE indicates that the firewall is protected against
deletion. Use this setting to protect against accidentally deleting a
firewall that is in use. When you create a firewall, the operation
initializes this flag to TRUE.
$sel:description:Firewall', firewall_description - A description of the firewall.
$sel:encryptionConfiguration:Firewall', firewall_encryptionConfiguration - A complex type that contains the Amazon Web Services KMS encryption
configuration settings for your firewall.
$sel:firewallArn:Firewall', firewall_firewallArn - The Amazon Resource Name (ARN) of the firewall.
$sel:firewallName:Firewall', firewall_firewallName - The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
$sel:firewallPolicyChangeProtection:Firewall', firewall_firewallPolicyChangeProtection - A setting indicating whether the firewall is protected against a change
to the firewall policy association. Use this setting to protect against
accidentally modifying the firewall policy for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE.
$sel:subnetChangeProtection:Firewall', firewall_subnetChangeProtection - A setting indicating whether the firewall is protected against changes
to the subnet associations. Use this setting to protect against
accidentally modifying the subnet associations for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE.
$sel:tags:Firewall', firewall_tags -
$sel:firewallPolicyArn:Firewall', firewall_firewallPolicyArn - The Amazon Resource Name (ARN) of the firewall policy.
The relationship of firewall to firewall policy is many to one. Each firewall requires one firewall policy association, and you can use the same firewall policy for multiple firewalls.
$sel:vpcId:Firewall', firewall_vpcId - The unique identifier of the VPC where the firewall is in use.
$sel:subnetMappings:Firewall', firewall_subnetMappings - The public subnets that Network Firewall is using for the firewall. Each
subnet must belong to a different Availability Zone.
$sel:firewallId:Firewall', firewall_firewallId - The unique identifier for the firewall.
firewall_deleteProtection :: Lens' Firewall (Maybe Bool) Source #
A flag indicating whether it is possible to delete the firewall. A
setting of TRUE indicates that the firewall is protected against
deletion. Use this setting to protect against accidentally deleting a
firewall that is in use. When you create a firewall, the operation
initializes this flag to TRUE.
firewall_encryptionConfiguration :: Lens' Firewall (Maybe EncryptionConfiguration) Source #
A complex type that contains the Amazon Web Services KMS encryption configuration settings for your firewall.
firewall_firewallArn :: Lens' Firewall (Maybe Text) Source #
The Amazon Resource Name (ARN) of the firewall.
firewall_firewallName :: Lens' Firewall (Maybe Text) Source #
The descriptive name of the firewall. You can't change the name of a firewall after you create it.
firewall_firewallPolicyChangeProtection :: Lens' Firewall (Maybe Bool) Source #
A setting indicating whether the firewall is protected against a change
to the firewall policy association. Use this setting to protect against
accidentally modifying the firewall policy for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE.
firewall_subnetChangeProtection :: Lens' Firewall (Maybe Bool) Source #
A setting indicating whether the firewall is protected against changes
to the subnet associations. Use this setting to protect against
accidentally modifying the subnet associations for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE.
firewall_firewallPolicyArn :: Lens' Firewall Text Source #
The Amazon Resource Name (ARN) of the firewall policy.
The relationship of firewall to firewall policy is many to one. Each firewall requires one firewall policy association, and you can use the same firewall policy for multiple firewalls.
firewall_vpcId :: Lens' Firewall Text Source #
The unique identifier of the VPC where the firewall is in use.
firewall_subnetMappings :: Lens' Firewall [SubnetMapping] Source #
The public subnets that Network Firewall is using for the firewall. Each subnet must belong to a different Availability Zone.
FirewallMetadata
data FirewallMetadata Source #
High-level information about a firewall, returned by operations like create and describe. You can use the information provided in the metadata to retrieve and manage a firewall.
See: newFirewallMetadata smart constructor.
Constructors
| FirewallMetadata' | |
Fields
| |
Instances
newFirewallMetadata :: FirewallMetadata Source #
Create a value of FirewallMetadata with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:firewallArn:FirewallMetadata', firewallMetadata_firewallArn - The Amazon Resource Name (ARN) of the firewall.
$sel:firewallName:FirewallMetadata', firewallMetadata_firewallName - The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
firewallMetadata_firewallArn :: Lens' FirewallMetadata (Maybe Text) Source #
The Amazon Resource Name (ARN) of the firewall.
firewallMetadata_firewallName :: Lens' FirewallMetadata (Maybe Text) Source #
The descriptive name of the firewall. You can't change the name of a firewall after you create it.
FirewallPolicy
data FirewallPolicy Source #
The firewall policy defines the behavior of a firewall using a collection of stateless and stateful rule groups and other settings. You can use one firewall policy for multiple firewalls.
This, along with FirewallPolicyResponse, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.
See: newFirewallPolicy smart constructor.
Constructors
| FirewallPolicy' | |
Fields
| |
Instances
newFirewallPolicy :: FirewallPolicy Source #
Create a value of FirewallPolicy with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:statefulDefaultActions:FirewallPolicy', firewallPolicy_statefulDefaultActions - The default actions to take on a packet that doesn't match any stateful
rules. The stateful default action is optional, and is only valid when
using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the Network Firewall Developer Guide.
$sel:statefulEngineOptions:FirewallPolicy', firewallPolicy_statefulEngineOptions - Additional options governing how Network Firewall handles stateful
rules. The stateful rule groups that you use in your policy must have
stateful rule options settings that are compatible with these settings.
$sel:statefulRuleGroupReferences:FirewallPolicy', firewallPolicy_statefulRuleGroupReferences - References to the stateful rule groups that are used in the policy.
These define the inspection criteria in stateful rules.
$sel:statelessCustomActions:FirewallPolicy', firewallPolicy_statelessCustomActions - The custom action definitions that are available for use in the firewall
policy's StatelessDefaultActions setting. You name each custom action
that you define, and then you can use it by name in your default actions
specifications.
$sel:statelessRuleGroupReferences:FirewallPolicy', firewallPolicy_statelessRuleGroupReferences - References to the stateless rule groups that are used in the policy.
These define the matching criteria in stateless rules.
$sel:statelessDefaultActions:FirewallPolicy', firewallPolicy_statelessDefaultActions - The actions to take on a packet if it doesn't match any of the
stateless rules in the policy. If you want non-matching packets to be
forwarded for stateful inspection, specify aws:forward_to_sfe.
You must specify one of the standard actions: aws:pass, aws:drop, or
aws:forward_to_sfe. In addition, you can specify custom actions that
are compatible with your standard section choice.
For example, you could specify ["aws:pass"] or you could specify
["aws:pass", “customActionName”]. For information about
compatibility, see the custom action descriptions under CustomAction.
$sel:statelessFragmentDefaultActions:FirewallPolicy', firewallPolicy_statelessFragmentDefaultActions - The actions to take on a fragmented UDP packet if it doesn't match any
of the stateless rules in the policy. Network Firewall only manages UDP
packet fragments and silently drops packet fragments for other
protocols. If you want non-matching fragmented UDP packets to be
forwarded for stateful inspection, specify aws:forward_to_sfe.
You must specify one of the standard actions: aws:pass, aws:drop, or
aws:forward_to_sfe. In addition, you can specify custom actions that
are compatible with your standard section choice.
For example, you could specify ["aws:pass"] or you could specify
["aws:pass", “customActionName”]. For information about
compatibility, see the custom action descriptions under CustomAction.
firewallPolicy_statefulDefaultActions :: Lens' FirewallPolicy (Maybe [Text]) Source #
The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the Network Firewall Developer Guide.
firewallPolicy_statefulEngineOptions :: Lens' FirewallPolicy (Maybe StatefulEngineOptions) Source #
Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
firewallPolicy_statefulRuleGroupReferences :: Lens' FirewallPolicy (Maybe [StatefulRuleGroupReference]) Source #
References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
firewallPolicy_statelessCustomActions :: Lens' FirewallPolicy (Maybe [CustomAction]) Source #
The custom action definitions that are available for use in the firewall
policy's StatelessDefaultActions setting. You name each custom action
that you define, and then you can use it by name in your default actions
specifications.
firewallPolicy_statelessRuleGroupReferences :: Lens' FirewallPolicy (Maybe [StatelessRuleGroupReference]) Source #
References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
firewallPolicy_statelessDefaultActions :: Lens' FirewallPolicy [Text] Source #
The actions to take on a packet if it doesn't match any of the
stateless rules in the policy. If you want non-matching packets to be
forwarded for stateful inspection, specify aws:forward_to_sfe.
You must specify one of the standard actions: aws:pass, aws:drop, or
aws:forward_to_sfe. In addition, you can specify custom actions that
are compatible with your standard section choice.
For example, you could specify ["aws:pass"] or you could specify
["aws:pass", “customActionName”]. For information about
compatibility, see the custom action descriptions under CustomAction.
firewallPolicy_statelessFragmentDefaultActions :: Lens' FirewallPolicy [Text] Source #
The actions to take on a fragmented UDP packet if it doesn't match any
of the stateless rules in the policy. Network Firewall only manages UDP
packet fragments and silently drops packet fragments for other
protocols. If you want non-matching fragmented UDP packets to be
forwarded for stateful inspection, specify aws:forward_to_sfe.
You must specify one of the standard actions: aws:pass, aws:drop, or
aws:forward_to_sfe. In addition, you can specify custom actions that
are compatible with your standard section choice.
For example, you could specify ["aws:pass"] or you could specify
["aws:pass", “customActionName”]. For information about
compatibility, see the custom action descriptions under CustomAction.
FirewallPolicyMetadata
data FirewallPolicyMetadata Source #
High-level information about a firewall policy, returned by operations like create and describe. You can use the information provided in the metadata to retrieve and manage a firewall policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.
See: newFirewallPolicyMetadata smart constructor.
Constructors
| FirewallPolicyMetadata' | |
Instances
newFirewallPolicyMetadata :: FirewallPolicyMetadata Source #
Create a value of FirewallPolicyMetadata with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:arn:FirewallPolicyMetadata', firewallPolicyMetadata_arn - The Amazon Resource Name (ARN) of the firewall policy.
$sel:name:FirewallPolicyMetadata', firewallPolicyMetadata_name - The descriptive name of the firewall policy. You can't change the name
of a firewall policy after you create it.
firewallPolicyMetadata_arn :: Lens' FirewallPolicyMetadata (Maybe Text) Source #
The Amazon Resource Name (ARN) of the firewall policy.
firewallPolicyMetadata_name :: Lens' FirewallPolicyMetadata (Maybe Text) Source #
The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.
FirewallPolicyResponse
data FirewallPolicyResponse Source #
The high-level properties of a firewall policy. This, along with the FirewallPolicy, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.
See: newFirewallPolicyResponse smart constructor.
Constructors
| FirewallPolicyResponse' | |
Fields
| |
Instances
newFirewallPolicyResponse Source #
Arguments
| :: Text | |
| -> Text | |
| -> Text | |
| -> FirewallPolicyResponse |
Create a value of FirewallPolicyResponse with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:consumedStatefulRuleCapacity:FirewallPolicyResponse', firewallPolicyResponse_consumedStatefulRuleCapacity - The number of capacity units currently consumed by the policy's
stateful rules.
$sel:consumedStatelessRuleCapacity:FirewallPolicyResponse', firewallPolicyResponse_consumedStatelessRuleCapacity - The number of capacity units currently consumed by the policy's
stateless rules.
$sel:description:FirewallPolicyResponse', firewallPolicyResponse_description - A description of the firewall policy.
$sel:encryptionConfiguration:FirewallPolicyResponse', firewallPolicyResponse_encryptionConfiguration - A complex type that contains the Amazon Web Services KMS encryption
configuration settings for your firewall policy.
$sel:firewallPolicyStatus:FirewallPolicyResponse', firewallPolicyResponse_firewallPolicyStatus - The current status of the firewall policy. You can retrieve this for a
firewall policy by calling DescribeFirewallPolicy and providing the
firewall policy's name or ARN.
$sel:lastModifiedTime:FirewallPolicyResponse', firewallPolicyResponse_lastModifiedTime - The last time that the firewall policy was changed.
$sel:numberOfAssociations:FirewallPolicyResponse', firewallPolicyResponse_numberOfAssociations - The number of firewalls that are associated with this firewall policy.
$sel:tags:FirewallPolicyResponse', firewallPolicyResponse_tags - The key:value pairs to associate with the resource.
$sel:firewallPolicyName:FirewallPolicyResponse', firewallPolicyResponse_firewallPolicyName - The descriptive name of the firewall policy. You can't change the name
of a firewall policy after you create it.
$sel:firewallPolicyArn:FirewallPolicyResponse', firewallPolicyResponse_firewallPolicyArn - The Amazon Resource Name (ARN) of the firewall policy.
If this response is for a create request that had DryRun set to
TRUE, then this ARN is a placeholder that isn't attached to a valid
resource.
$sel:firewallPolicyId:FirewallPolicyResponse', firewallPolicyResponse_firewallPolicyId - The unique identifier for the firewall policy.
firewallPolicyResponse_consumedStatefulRuleCapacity :: Lens' FirewallPolicyResponse (Maybe Int) Source #
The number of capacity units currently consumed by the policy's stateful rules.
firewallPolicyResponse_consumedStatelessRuleCapacity :: Lens' FirewallPolicyResponse (Maybe Int) Source #
The number of capacity units currently consumed by the policy's stateless rules.
firewallPolicyResponse_description :: Lens' FirewallPolicyResponse (Maybe Text) Source #
A description of the firewall policy.
firewallPolicyResponse_encryptionConfiguration :: Lens' FirewallPolicyResponse (Maybe EncryptionConfiguration) Source #
A complex type that contains the Amazon Web Services KMS encryption configuration settings for your firewall policy.
firewallPolicyResponse_firewallPolicyStatus :: Lens' FirewallPolicyResponse (Maybe ResourceStatus) Source #
The current status of the firewall policy. You can retrieve this for a firewall policy by calling DescribeFirewallPolicy and providing the firewall policy's name or ARN.
firewallPolicyResponse_lastModifiedTime :: Lens' FirewallPolicyResponse (Maybe UTCTime) Source #
The last time that the firewall policy was changed.
firewallPolicyResponse_numberOfAssociations :: Lens' FirewallPolicyResponse (Maybe Int) Source #
The number of firewalls that are associated with this firewall policy.
firewallPolicyResponse_tags :: Lens' FirewallPolicyResponse (Maybe (NonEmpty Tag)) Source #
The key:value pairs to associate with the resource.
firewallPolicyResponse_firewallPolicyName :: Lens' FirewallPolicyResponse Text Source #
The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.
firewallPolicyResponse_firewallPolicyArn :: Lens' FirewallPolicyResponse Text Source #
The Amazon Resource Name (ARN) of the firewall policy.
If this response is for a create request that had DryRun set to
TRUE, then this ARN is a placeholder that isn't attached to a valid
resource.
firewallPolicyResponse_firewallPolicyId :: Lens' FirewallPolicyResponse Text Source #
The unique identifier for the firewall policy.
FirewallStatus
data FirewallStatus Source #
Detailed information about the current status of a Firewall. You can retrieve this for a firewall by calling DescribeFirewall and providing the firewall name and ARN.
See: newFirewallStatus smart constructor.
Constructors
| FirewallStatus' | |
Fields
| |
Instances
Arguments
| :: FirewallStatusValue | |
| -> ConfigurationSyncState | |
| -> FirewallStatus |
Create a value of FirewallStatus with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:capacityUsageSummary:FirewallStatus', firewallStatus_capacityUsageSummary - Describes the capacity usage of the resources contained in a firewall's
reference sets. Network Firewall calclulates the capacity usage by
taking an aggregated count of all of the resources used by all of the
reference sets in a firewall.
$sel:syncStates:FirewallStatus', firewallStatus_syncStates - The subnets that you've configured for use by the Network Firewall
firewall. This contains one array element per Availability Zone where
you've configured a subnet. These objects provide details of the
information that is summarized in the ConfigurationSyncStateSummary
and Status, broken down by zone and configuration object.
$sel:status:FirewallStatus', firewallStatus_status - The readiness of the configured firewall to handle network traffic
across all of the Availability Zones where you've configured it. This
setting is READY only when the ConfigurationSyncStateSummary value
is IN_SYNC and the Attachment Status values for all of the
configured subnets are READY.
$sel:configurationSyncStateSummary:FirewallStatus', firewallStatus_configurationSyncStateSummary - The configuration sync state for the firewall. This summarizes the sync
states reported in the Config settings for all of the Availability
Zones where you have configured the firewall.
When you create a firewall or update its configuration, for example by adding a rule group to its firewall policy, Network Firewall distributes the configuration changes to all zones where the firewall is in use. This summary indicates whether the configuration changes have been applied everywhere.
This status must be IN_SYNC for the firewall to be ready for use, but
it doesn't indicate that the firewall is ready. The Status setting
indicates firewall readiness.
firewallStatus_capacityUsageSummary :: Lens' FirewallStatus (Maybe CapacityUsageSummary) Source #
Describes the capacity usage of the resources contained in a firewall's reference sets. Network Firewall calclulates the capacity usage by taking an aggregated count of all of the resources used by all of the reference sets in a firewall.
firewallStatus_syncStates :: Lens' FirewallStatus (Maybe (HashMap Text SyncState)) Source #
The subnets that you've configured for use by the Network Firewall
firewall. This contains one array element per Availability Zone where
you've configured a subnet. These objects provide details of the
information that is summarized in the ConfigurationSyncStateSummary
and Status, broken down by zone and configuration object.
firewallStatus_status :: Lens' FirewallStatus FirewallStatusValue Source #
The readiness of the configured firewall to handle network traffic
across all of the Availability Zones where you've configured it. This
setting is READY only when the ConfigurationSyncStateSummary value
is IN_SYNC and the Attachment Status values for all of the
configured subnets are READY.
firewallStatus_configurationSyncStateSummary :: Lens' FirewallStatus ConfigurationSyncState Source #
The configuration sync state for the firewall. This summarizes the sync
states reported in the Config settings for all of the Availability
Zones where you have configured the firewall.
When you create a firewall or update its configuration, for example by adding a rule group to its firewall policy, Network Firewall distributes the configuration changes to all zones where the firewall is in use. This summary indicates whether the configuration changes have been applied everywhere.
This status must be IN_SYNC for the firewall to be ready for use, but
it doesn't indicate that the firewall is ready. The Status setting
indicates firewall readiness.
Header
The basic rule criteria for Network Firewall to use to inspect packet headers in stateful traffic flow inspection. Traffic flows that match the criteria are a match for the corresponding StatefulRule.
See: newHeader smart constructor.
Constructors
| Header' | |
Fields
| |
Instances
Arguments
| :: StatefulRuleProtocol | |
| -> Text | |
| -> Text | |
| -> StatefulRuleDirection | |
| -> Text | |
| -> Text | |
| -> Header |
Create a value of Header with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:protocol:Header', header_protocol - The protocol to inspect for. To specify all, you can use IP, because
all traffic on Amazon Web Services and on the internet is IP.
$sel:source:Header', header_source - The source IP address or address range to inspect for, in CIDR notation.
To match with any address, specify ANY.
Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
$sel:sourcePort:Header', header_sourcePort - The source port to inspect for. You can specify an individual port, for
example 1994 and you can specify a port range, for example
1990:1994. To match with any port, specify ANY.
$sel:direction:Header', header_direction - The direction of traffic flow to inspect. If set to ANY, the
inspection matches bidirectional traffic, both from the source to the
destination and from the destination to the source. If set to FORWARD,
the inspection only matches traffic going from the source to the
destination.
$sel:destination:Header', header_destination - The destination IP address or address range to inspect for, in CIDR
notation. To match with any address, specify ANY.
Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
$sel:destinationPort:Header', header_destinationPort - The destination port to inspect for. You can specify an individual port,
for example 1994 and you can specify a port range, for example
1990:1994. To match with any port, specify ANY.
header_protocol :: Lens' Header StatefulRuleProtocol Source #
The protocol to inspect for. To specify all, you can use IP, because
all traffic on Amazon Web Services and on the internet is IP.
header_source :: Lens' Header Text Source #
The source IP address or address range to inspect for, in CIDR notation.
To match with any address, specify ANY.
Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
header_sourcePort :: Lens' Header Text Source #
The source port to inspect for. You can specify an individual port, for
example 1994 and you can specify a port range, for example
1990:1994. To match with any port, specify ANY.
header_direction :: Lens' Header StatefulRuleDirection Source #
The direction of traffic flow to inspect. If set to ANY, the
inspection matches bidirectional traffic, both from the source to the
destination and from the destination to the source. If set to FORWARD,
the inspection only matches traffic going from the source to the
destination.
header_destination :: Lens' Header Text Source #
The destination IP address or address range to inspect for, in CIDR
notation. To match with any address, specify ANY.
Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
header_destinationPort :: Lens' Header Text Source #
The destination port to inspect for. You can specify an individual port,
for example 1994 and you can specify a port range, for example
1990:1994. To match with any port, specify ANY.
IPSet
A list of IP addresses and address ranges, in CIDR notation. This is part of a RuleVariables.
See: newIPSet smart constructor.
Constructors
| IPSet' | |
Fields
| |
Instances
| FromJSON IPSet Source # | |
| ToJSON IPSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.IPSet | |
| Generic IPSet Source # | |
| Read IPSet Source # | |
| Show IPSet Source # | |
| NFData IPSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.IPSet | |
| Eq IPSet Source # | |
| Hashable IPSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.IPSet | |
| type Rep IPSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.IPSet | |
Create a value of IPSet with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:definition:IPSet', iPSet_definition - The list of IP addresses and address ranges, in CIDR notation.
iPSet_definition :: Lens' IPSet [Text] Source #
The list of IP addresses and address ranges, in CIDR notation.
IPSetMetadata
data IPSetMetadata Source #
General information about the IP set.
See: newIPSetMetadata smart constructor.
Constructors
| IPSetMetadata' | |
Fields
| |
Instances
newIPSetMetadata :: IPSetMetadata Source #
Create a value of IPSetMetadata with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:resolvedCIDRCount:IPSetMetadata', iPSetMetadata_resolvedCIDRCount - Describes the total number of CIDR blocks currently in use by the IP set
references in a firewall. To determine how many CIDR blocks are
available for you to use in a firewall, you can call
AvailableCIDRCount.
iPSetMetadata_resolvedCIDRCount :: Lens' IPSetMetadata (Maybe Natural) Source #
Describes the total number of CIDR blocks currently in use by the IP set
references in a firewall. To determine how many CIDR blocks are
available for you to use in a firewall, you can call
AvailableCIDRCount.
IPSetReference
data IPSetReference Source #
Configures one or more IP set references for a Suricata-compatible rule group. This is used in CreateRuleGroup or UpdateRuleGroup. An IP set reference is a rule variable that references a resource that you create and manage in another Amazon Web Services service, such as an Amazon VPC prefix list. Network Firewall IP set references enable you to dynamically update the contents of your rules. When you create, update, or delete the IP set you are referencing in your rule, Network Firewall automatically updates the rule's content with the changes. For more information about IP set references in Network Firewall, see Using IP set references in the Network Firewall Developer Guide.
Network Firewall currently supports only Amazon VPC prefix lists as IP set references.
See: newIPSetReference smart constructor.
Constructors
| IPSetReference' | |
Fields
| |
Instances
newIPSetReference :: IPSetReference Source #
Create a value of IPSetReference with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:referenceArn:IPSetReference', iPSetReference_referenceArn - The Amazon Resource Name (ARN) of the resource that you are referencing
in your rule group.
iPSetReference_referenceArn :: Lens' IPSetReference (Maybe Text) Source #
The Amazon Resource Name (ARN) of the resource that you are referencing in your rule group.
LogDestinationConfig
data LogDestinationConfig Source #
Defines where Network Firewall sends logs for the firewall for one log type. This is used in LoggingConfiguration. You can send each type of log to an Amazon S3 bucket, a CloudWatch log group, or a Kinesis Data Firehose delivery stream.
Network Firewall generates logs for stateful rule groups. You can save
alert and flow log types. The stateful rules engine records flow logs
for all network traffic that it receives. It records alert logs for
traffic that matches stateful rules that have the rule action set to
DROP or ALERT.
See: newLogDestinationConfig smart constructor.
Constructors
| LogDestinationConfig' | |
Fields
| |
Instances
newLogDestinationConfig Source #
Arguments
| :: LogType | |
| -> LogDestinationType | |
| -> LogDestinationConfig |
Create a value of LogDestinationConfig with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:logType:LogDestinationConfig', logDestinationConfig_logType - The type of log to send. Alert logs report traffic that matches a
StatefulRule with an action setting that sends an alert log message.
Flow logs are standard network traffic flow logs.
$sel:logDestinationType:LogDestinationConfig', logDestinationConfig_logDestinationType - The type of storage destination to send these logs to. You can send logs
to an Amazon S3 bucket, a CloudWatch log group, or a Kinesis Data
Firehose delivery stream.
$sel:logDestination:LogDestinationConfig', logDestinationConfig_logDestination - The named location for the logs, provided in a key:value mapping that is
specific to the chosen destination type.
For an Amazon S3 bucket, provide the name of the bucket, with key
bucketName, and optionally provide a prefix, with keyprefix. The following example specifies an Amazon S3 bucket namedDOC-EXAMPLE-BUCKETand the prefixalerts:"LogDestination": { "bucketName": "DOC-EXAMPLE-BUCKET", "prefix": "alerts" }For a CloudWatch log group, provide the name of the CloudWatch log group, with key
logGroup. The following example specifies a log group namedalert-log-group:"LogDestination": { "logGroup": "alert-log-group" }For a Kinesis Data Firehose delivery stream, provide the name of the delivery stream, with key
deliveryStream. The following example specifies a delivery stream namedalert-delivery-stream:"LogDestination": { "deliveryStream": "alert-delivery-stream" }
logDestinationConfig_logType :: Lens' LogDestinationConfig LogType Source #
The type of log to send. Alert logs report traffic that matches a StatefulRule with an action setting that sends an alert log message. Flow logs are standard network traffic flow logs.
logDestinationConfig_logDestinationType :: Lens' LogDestinationConfig LogDestinationType Source #
The type of storage destination to send these logs to. You can send logs to an Amazon S3 bucket, a CloudWatch log group, or a Kinesis Data Firehose delivery stream.
logDestinationConfig_logDestination :: Lens' LogDestinationConfig (HashMap Text Text) Source #
The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type.
For an Amazon S3 bucket, provide the name of the bucket, with key
bucketName, and optionally provide a prefix, with keyprefix. The following example specifies an Amazon S3 bucket namedDOC-EXAMPLE-BUCKETand the prefixalerts:"LogDestination": { "bucketName": "DOC-EXAMPLE-BUCKET", "prefix": "alerts" }For a CloudWatch log group, provide the name of the CloudWatch log group, with key
logGroup. The following example specifies a log group namedalert-log-group:"LogDestination": { "logGroup": "alert-log-group" }For a Kinesis Data Firehose delivery stream, provide the name of the delivery stream, with key
deliveryStream. The following example specifies a delivery stream namedalert-delivery-stream:"LogDestination": { "deliveryStream": "alert-delivery-stream" }
LoggingConfiguration
data LoggingConfiguration Source #
Defines how Network Firewall performs logging for a Firewall.
See: newLoggingConfiguration smart constructor.
Constructors
| LoggingConfiguration' | |
Fields
| |
Instances
newLoggingConfiguration :: LoggingConfiguration Source #
Create a value of LoggingConfiguration with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:logDestinationConfigs:LoggingConfiguration', loggingConfiguration_logDestinationConfigs - Defines the logging destinations for the logs for a firewall. Network
Firewall generates logs for stateful rule groups.
loggingConfiguration_logDestinationConfigs :: Lens' LoggingConfiguration [LogDestinationConfig] Source #
Defines the logging destinations for the logs for a firewall. Network Firewall generates logs for stateful rule groups.
MatchAttributes
data MatchAttributes Source #
Criteria for Network Firewall to use to inspect an individual packet in stateless rule inspection. Each match attributes set can include one or more items such as IP address, CIDR range, port number, protocol, and TCP flags.
See: newMatchAttributes smart constructor.
Constructors
| MatchAttributes' | |
Fields
| |
Instances
newMatchAttributes :: MatchAttributes Source #
Create a value of MatchAttributes with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:destinationPorts:MatchAttributes', matchAttributes_destinationPorts - The destination ports to inspect for. If not specified, this matches
with any destination port. This setting is only used for protocols 6
(TCP) and 17 (UDP).
You can specify individual ports, for example 1994 and you can specify
port ranges, for example 1990:1994.
$sel:destinations:MatchAttributes', matchAttributes_destinations - The destination IP addresses and address ranges to inspect for, in CIDR
notation. If not specified, this matches with any destination address.
$sel:protocols:MatchAttributes', matchAttributes_protocols - The protocols to inspect for, specified using each protocol's assigned
internet protocol number (IANA). If not specified, this matches with any
protocol.
$sel:sourcePorts:MatchAttributes', matchAttributes_sourcePorts - The source ports to inspect for. If not specified, this matches with any
source port. This setting is only used for protocols 6 (TCP) and 17
(UDP).
You can specify individual ports, for example 1994 and you can specify
port ranges, for example 1990:1994.
$sel:sources:MatchAttributes', matchAttributes_sources - The source IP addresses and address ranges to inspect for, in CIDR
notation. If not specified, this matches with any source address.
$sel:tCPFlags:MatchAttributes', matchAttributes_tCPFlags - The TCP flags and masks to inspect for. If not specified, this matches
with any settings. This setting is only used for protocol 6 (TCP).
matchAttributes_destinationPorts :: Lens' MatchAttributes (Maybe [PortRange]) Source #
The destination ports to inspect for. If not specified, this matches with any destination port. This setting is only used for protocols 6 (TCP) and 17 (UDP).
You can specify individual ports, for example 1994 and you can specify
port ranges, for example 1990:1994.
matchAttributes_destinations :: Lens' MatchAttributes (Maybe [Address]) Source #
The destination IP addresses and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address.
matchAttributes_protocols :: Lens' MatchAttributes (Maybe [Natural]) Source #
The protocols to inspect for, specified using each protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
matchAttributes_sourcePorts :: Lens' MatchAttributes (Maybe [PortRange]) Source #
The source ports to inspect for. If not specified, this matches with any source port. This setting is only used for protocols 6 (TCP) and 17 (UDP).
You can specify individual ports, for example 1994 and you can specify
port ranges, for example 1990:1994.
matchAttributes_sources :: Lens' MatchAttributes (Maybe [Address]) Source #
The source IP addresses and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address.
matchAttributes_tCPFlags :: Lens' MatchAttributes (Maybe [TCPFlagField]) Source #
The TCP flags and masks to inspect for. If not specified, this matches with any settings. This setting is only used for protocol 6 (TCP).
PerObjectStatus
data PerObjectStatus Source #
Provides configuration status for a single policy or rule group that is used for a firewall endpoint. Network Firewall provides each endpoint with the rules that are configured in the firewall policy. Each time you add a subnet or modify the associated firewall policy, Network Firewall synchronizes the rules in the endpoint, so it can properly filter network traffic. This is part of a SyncState for a firewall.
See: newPerObjectStatus smart constructor.
Constructors
| PerObjectStatus' | |
Fields
| |
Instances
newPerObjectStatus :: PerObjectStatus Source #
Create a value of PerObjectStatus with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:syncStatus:PerObjectStatus', perObjectStatus_syncStatus - Indicates whether this object is in sync with the version indicated in
the update token.
$sel:updateToken:PerObjectStatus', perObjectStatus_updateToken - The current version of the object that is either in sync or pending
synchronization.
perObjectStatus_syncStatus :: Lens' PerObjectStatus (Maybe PerObjectSyncStatus) Source #
Indicates whether this object is in sync with the version indicated in the update token.
perObjectStatus_updateToken :: Lens' PerObjectStatus (Maybe Text) Source #
The current version of the object that is either in sync or pending synchronization.
PortRange
A single port range specification. This is used for source and
destination port ranges in the stateless rule MatchAttributes,
SourcePorts, and DestinationPorts settings.
See: newPortRange smart constructor.
Constructors
| PortRange' | |
Instances
| FromJSON PortRange Source # | |
| ToJSON PortRange Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortRange | |
| Generic PortRange Source # | |
| Read PortRange Source # | |
| Show PortRange Source # | |
| NFData PortRange Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortRange | |
| Eq PortRange Source # | |
| Hashable PortRange Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortRange | |
| type Rep PortRange Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortRange type Rep PortRange = D1 ('MetaData "PortRange" "Amazonka.NetworkFirewall.Types.PortRange" "amazonka-network-firewall-2.0-4y6HybZBSNcEwGPO5AYVfm" 'False) (C1 ('MetaCons "PortRange'" 'PrefixI 'True) (S1 ('MetaSel ('Just "fromPort") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Natural) :*: S1 ('MetaSel ('Just "toPort") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Natural))) | |
Create a value of PortRange with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:fromPort:PortRange', portRange_fromPort - The lower limit of the port range. This must be less than or equal to
the ToPort specification.
$sel:toPort:PortRange', portRange_toPort - The upper limit of the port range. This must be greater than or equal to
the FromPort specification.
portRange_fromPort :: Lens' PortRange Natural Source #
The lower limit of the port range. This must be less than or equal to
the ToPort specification.
portRange_toPort :: Lens' PortRange Natural Source #
The upper limit of the port range. This must be greater than or equal to
the FromPort specification.
PortSet
A set of port ranges for use in the rules in a rule group.
See: newPortSet smart constructor.
Constructors
| PortSet' | |
Fields
| |
Instances
| FromJSON PortSet Source # | |
| ToJSON PortSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortSet | |
| Generic PortSet Source # | |
| Read PortSet Source # | |
| Show PortSet Source # | |
| NFData PortSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortSet | |
| Eq PortSet Source # | |
| Hashable PortSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortSet | |
| type Rep PortSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortSet type Rep PortSet = D1 ('MetaData "PortSet" "Amazonka.NetworkFirewall.Types.PortSet" "amazonka-network-firewall-2.0-4y6HybZBSNcEwGPO5AYVfm" 'False) (C1 ('MetaCons "PortSet'" 'PrefixI 'True) (S1 ('MetaSel ('Just "definition") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe [Text])))) | |
newPortSet :: PortSet Source #
Create a value of PortSet with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:definition:PortSet', portSet_definition - The set of port ranges.
PublishMetricAction
data PublishMetricAction Source #
Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
See: newPublishMetricAction smart constructor.
Constructors
| PublishMetricAction' | |
Fields | |
Instances
newPublishMetricAction Source #
Create a value of PublishMetricAction with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:dimensions:PublishMetricAction', publishMetricAction_dimensions -
ReferenceSets
data ReferenceSets Source #
Contains a set of IP set references.
See: newReferenceSets smart constructor.
Constructors
| ReferenceSets' | |
Fields
| |
Instances
newReferenceSets :: ReferenceSets Source #
Create a value of ReferenceSets with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:iPSetReferences:ReferenceSets', referenceSets_iPSetReferences - The list of IP set references.
referenceSets_iPSetReferences :: Lens' ReferenceSets (Maybe (HashMap Text IPSetReference)) Source #
The list of IP set references.
RuleDefinition
data RuleDefinition Source #
The inspection criteria and action for a single stateless rule. Network Firewall inspects each packet for the specified matching criteria. When a packet matches the criteria, Network Firewall performs the rule's actions on the packet.
See: newRuleDefinition smart constructor.
Constructors
| RuleDefinition' | |
Fields
| |
Instances
Create a value of RuleDefinition with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:matchAttributes:RuleDefinition', ruleDefinition_matchAttributes - Criteria for Network Firewall to use to inspect an individual packet in
stateless rule inspection. Each match attributes set can include one or
more items such as IP address, CIDR range, port number, protocol, and
TCP flags.
$sel:actions:RuleDefinition', ruleDefinition_actions - The actions to take on a packet that matches one of the stateless rule
definition's match attributes. You must specify a standard action and
you can add custom actions.
Network Firewall only forwards a packet for stateful rule inspection if
you specify aws:forward_to_sfe for a rule that the packet matches, or
if the packet doesn't match any stateless rule and you specify
aws:forward_to_sfe for the StatelessDefaultActions setting for the
FirewallPolicy.
For every rule, you must specify exactly one of the following standard actions.
- aws:pass - Discontinues all inspection of the packet and permits it to go to its intended destination.
- aws:drop - Discontinues all inspection of the packet and blocks it from going to its intended destination.
- aws:forward_to_sfe - Discontinues stateless inspection of the packet and forwards it to the stateful rule engine for inspection.
Additionally, you can specify a custom action. To do this, you define a
custom action by name and type, then provide the name you've assigned
to the action in this Actions setting. For information about the
options, see CustomAction.
To provide more than one action in this setting, separate the settings
with a comma. For example, if you have a custom PublishMetrics action
that you've named MyMetricsAction, then you could specify the
standard action aws:pass and the custom action with
[“aws:pass”, “MyMetricsAction”].
ruleDefinition_matchAttributes :: Lens' RuleDefinition MatchAttributes Source #
Criteria for Network Firewall to use to inspect an individual packet in stateless rule inspection. Each match attributes set can include one or more items such as IP address, CIDR range, port number, protocol, and TCP flags.
ruleDefinition_actions :: Lens' RuleDefinition [Text] Source #
The actions to take on a packet that matches one of the stateless rule definition's match attributes. You must specify a standard action and you can add custom actions.
Network Firewall only forwards a packet for stateful rule inspection if
you specify aws:forward_to_sfe for a rule that the packet matches, or
if the packet doesn't match any stateless rule and you specify
aws:forward_to_sfe for the StatelessDefaultActions setting for the
FirewallPolicy.
For every rule, you must specify exactly one of the following standard actions.
- aws:pass - Discontinues all inspection of the packet and permits it to go to its intended destination.
- aws:drop - Discontinues all inspection of the packet and blocks it from going to its intended destination.
- aws:forward_to_sfe - Discontinues stateless inspection of the packet and forwards it to the stateful rule engine for inspection.
Additionally, you can specify a custom action. To do this, you define a
custom action by name and type, then provide the name you've assigned
to the action in this Actions setting. For information about the
options, see CustomAction.
To provide more than one action in this setting, separate the settings
with a comma. For example, if you have a custom PublishMetrics action
that you've named MyMetricsAction, then you could specify the
standard action aws:pass and the custom action with
[“aws:pass”, “MyMetricsAction”].
RuleGroup
The object that defines the rules in a rule group. This, along with RuleGroupResponse, define the rule group. You can retrieve all objects for a rule group by calling DescribeRuleGroup.
Network Firewall uses a rule group to inspect and control network traffic. You define stateless rule groups to inspect individual packets and you define stateful rule groups to inspect packets in the context of their traffic flow.
To use a rule group, you include it by reference in an Network Firewall firewall policy, then you use the policy in a firewall. You can reference a rule group from more than one firewall policy, and you can use a firewall policy in more than one firewall.
See: newRuleGroup smart constructor.
Constructors
| RuleGroup' | |
Fields
| |
Instances
Arguments
| :: RulesSource | |
| -> RuleGroup |
Create a value of RuleGroup with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:referenceSets:RuleGroup', ruleGroup_referenceSets - The list of a rule group's reference sets.
$sel:ruleVariables:RuleGroup', ruleGroup_ruleVariables - Settings that are available for use in the rules in the rule group. You
can only use these for stateful rule groups.
$sel:statefulRuleOptions:RuleGroup', ruleGroup_statefulRuleOptions - Additional options governing how Network Firewall handles stateful
rules. The policies where you use your stateful rule group must have
stateful rule options settings that are compatible with these settings.
$sel:rulesSource:RuleGroup', ruleGroup_rulesSource - The stateful rules or stateless rules for the rule group.
ruleGroup_referenceSets :: Lens' RuleGroup (Maybe ReferenceSets) Source #
The list of a rule group's reference sets.
ruleGroup_ruleVariables :: Lens' RuleGroup (Maybe RuleVariables) Source #
Settings that are available for use in the rules in the rule group. You can only use these for stateful rule groups.
ruleGroup_statefulRuleOptions :: Lens' RuleGroup (Maybe StatefulRuleOptions) Source #
Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings.
ruleGroup_rulesSource :: Lens' RuleGroup RulesSource Source #
The stateful rules or stateless rules for the rule group.
RuleGroupMetadata
data RuleGroupMetadata Source #
High-level information about a rule group, returned by ListRuleGroups. You can use the information provided in the metadata to retrieve and manage a rule group.
See: newRuleGroupMetadata smart constructor.
Constructors
| RuleGroupMetadata' | |
Instances
newRuleGroupMetadata :: RuleGroupMetadata Source #
Create a value of RuleGroupMetadata with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:arn:RuleGroupMetadata', ruleGroupMetadata_arn - The Amazon Resource Name (ARN) of the rule group.
$sel:name:RuleGroupMetadata', ruleGroupMetadata_name - The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
ruleGroupMetadata_arn :: Lens' RuleGroupMetadata (Maybe Text) Source #
The Amazon Resource Name (ARN) of the rule group.
ruleGroupMetadata_name :: Lens' RuleGroupMetadata (Maybe Text) Source #
The descriptive name of the rule group. You can't change the name of a rule group after you create it.
RuleGroupResponse
data RuleGroupResponse Source #
The high-level properties of a rule group. This, along with the RuleGroup, define the rule group. You can retrieve all objects for a rule group by calling DescribeRuleGroup.
See: newRuleGroupResponse smart constructor.
Constructors
| RuleGroupResponse' | |
Fields
| |
Instances
Arguments
| :: Text | |
| -> Text | |
| -> Text | |
| -> RuleGroupResponse |
Create a value of RuleGroupResponse with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:capacity:RuleGroupResponse', ruleGroupResponse_capacity - The maximum operating resources that this rule group can use. Rule group
capacity is fixed at creation. When you update a rule group, you are
limited to this capacity. When you reference a rule group from a
firewall policy, Network Firewall reserves this capacity for the rule
group.
You can retrieve the capacity that would be required for a rule group
before you create the rule group by calling CreateRuleGroup with
DryRun set to TRUE.
$sel:consumedCapacity:RuleGroupResponse', ruleGroupResponse_consumedCapacity - The number of capacity units currently consumed by the rule group rules.
$sel:description:RuleGroupResponse', ruleGroupResponse_description - A description of the rule group.
$sel:encryptionConfiguration:RuleGroupResponse', ruleGroupResponse_encryptionConfiguration - A complex type that contains the Amazon Web Services KMS encryption
configuration settings for your rule group.
$sel:lastModifiedTime:RuleGroupResponse', ruleGroupResponse_lastModifiedTime - The last time that the rule group was changed.
$sel:numberOfAssociations:RuleGroupResponse', ruleGroupResponse_numberOfAssociations - The number of firewall policies that use this rule group.
$sel:ruleGroupStatus:RuleGroupResponse', ruleGroupResponse_ruleGroupStatus - Detailed information about the current status of a rule group.
$sel:snsTopic:RuleGroupResponse', ruleGroupResponse_snsTopic - The Amazon resource name (ARN) of the Amazon Simple Notification Service
SNS topic that's used to record changes to the managed rule group. You
can subscribe to the SNS topic to receive notifications when the managed
rule group is modified, such as for new versions and for version
expiration. For more information, see the
Amazon Simple Notification Service Developer Guide..
$sel:sourceMetadata:RuleGroupResponse', ruleGroupResponse_sourceMetadata - A complex type that contains metadata about the rule group that your own
rule group is copied from. You can use the metadata to track the version
updates made to the originating rule group.
$sel:tags:RuleGroupResponse', ruleGroupResponse_tags - The key:value pairs to associate with the resource.
RuleGroupResponse, ruleGroupResponse_type - Indicates whether the rule group is stateless or stateful. If the rule
group is stateless, it contains stateless rules. If it is stateful, it
contains stateful rules.
$sel:ruleGroupArn:RuleGroupResponse', ruleGroupResponse_ruleGroupArn - The Amazon Resource Name (ARN) of the rule group.
If this response is for a create request that had DryRun set to
TRUE, then this ARN is a placeholder that isn't attached to a valid
resource.
$sel:ruleGroupName:RuleGroupResponse', ruleGroupResponse_ruleGroupName - The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
$sel:ruleGroupId:RuleGroupResponse', ruleGroupResponse_ruleGroupId - The unique identifier for the rule group.
ruleGroupResponse_capacity :: Lens' RuleGroupResponse (Maybe Int) Source #
The maximum operating resources that this rule group can use. Rule group capacity is fixed at creation. When you update a rule group, you are limited to this capacity. When you reference a rule group from a firewall policy, Network Firewall reserves this capacity for the rule group.
You can retrieve the capacity that would be required for a rule group
before you create the rule group by calling CreateRuleGroup with
DryRun set to TRUE.
ruleGroupResponse_consumedCapacity :: Lens' RuleGroupResponse (Maybe Int) Source #
The number of capacity units currently consumed by the rule group rules.
ruleGroupResponse_description :: Lens' RuleGroupResponse (Maybe Text) Source #
A description of the rule group.
ruleGroupResponse_encryptionConfiguration :: Lens' RuleGroupResponse (Maybe EncryptionConfiguration) Source #
A complex type that contains the Amazon Web Services KMS encryption configuration settings for your rule group.
ruleGroupResponse_lastModifiedTime :: Lens' RuleGroupResponse (Maybe UTCTime) Source #
The last time that the rule group was changed.
ruleGroupResponse_numberOfAssociations :: Lens' RuleGroupResponse (Maybe Int) Source #
The number of firewall policies that use this rule group.
ruleGroupResponse_ruleGroupStatus :: Lens' RuleGroupResponse (Maybe ResourceStatus) Source #
Detailed information about the current status of a rule group.
ruleGroupResponse_snsTopic :: Lens' RuleGroupResponse (Maybe Text) Source #
The Amazon resource name (ARN) of the Amazon Simple Notification Service SNS topic that's used to record changes to the managed rule group. You can subscribe to the SNS topic to receive notifications when the managed rule group is modified, such as for new versions and for version expiration. For more information, see the Amazon Simple Notification Service Developer Guide..
ruleGroupResponse_sourceMetadata :: Lens' RuleGroupResponse (Maybe SourceMetadata) Source #
A complex type that contains metadata about the rule group that your own rule group is copied from. You can use the metadata to track the version updates made to the originating rule group.
ruleGroupResponse_tags :: Lens' RuleGroupResponse (Maybe (NonEmpty Tag)) Source #
The key:value pairs to associate with the resource.
ruleGroupResponse_type :: Lens' RuleGroupResponse (Maybe RuleGroupType) Source #
Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains stateless rules. If it is stateful, it contains stateful rules.
ruleGroupResponse_ruleGroupArn :: Lens' RuleGroupResponse Text Source #
The Amazon Resource Name (ARN) of the rule group.
If this response is for a create request that had DryRun set to
TRUE, then this ARN is a placeholder that isn't attached to a valid
resource.
ruleGroupResponse_ruleGroupName :: Lens' RuleGroupResponse Text Source #
The descriptive name of the rule group. You can't change the name of a rule group after you create it.
ruleGroupResponse_ruleGroupId :: Lens' RuleGroupResponse Text Source #
The unique identifier for the rule group.
RuleOption
data RuleOption Source #
Additional settings for a stateful rule. This is part of the StatefulRule configuration.
See: newRuleOption smart constructor.
Instances
Arguments
| :: Text | |
| -> RuleOption |
Create a value of RuleOption with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
ruleOption_settings :: Lens' RuleOption (Maybe [Text]) Source #
RuleVariables
data RuleVariables Source #
Settings that are available for use in the rules in the RuleGroup where this is defined.
See: newRuleVariables smart constructor.
Constructors
| RuleVariables' | |
Instances
newRuleVariables :: RuleVariables Source #
Create a value of RuleVariables with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:iPSets:RuleVariables', ruleVariables_iPSets - A list of IP addresses and address ranges, in CIDR notation.
$sel:portSets:RuleVariables', ruleVariables_portSets - A list of port ranges.
ruleVariables_iPSets :: Lens' RuleVariables (Maybe (HashMap Text IPSet)) Source #
A list of IP addresses and address ranges, in CIDR notation.
ruleVariables_portSets :: Lens' RuleVariables (Maybe (HashMap Text PortSet)) Source #
A list of port ranges.
RulesSource
data RulesSource Source #
The stateless or stateful rules definitions for use in a single rule
group. Each rule group requires a single RulesSource. You can use an
instance of this for either stateless rules or stateful rules.
See: newRulesSource smart constructor.
Constructors
| RulesSource' | |
Fields
| |
Instances
newRulesSource :: RulesSource Source #
Create a value of RulesSource with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:rulesSourceList:RulesSource', rulesSource_rulesSourceList - Stateful inspection criteria for a domain list rule group.
$sel:rulesString:RulesSource', rulesSource_rulesString - Stateful inspection criteria, provided in Suricata compatible intrusion
prevention system (IPS) rules. Suricata is an open-source network IPS
that includes a standard rule-based language for network traffic
inspection.
These rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.
$sel:statefulRules:RulesSource', rulesSource_statefulRules - An array of individual stateful rules inspection criteria to be used
together in a stateful rule group. Use this option to specify simple
Suricata rules with protocol, source and destination, ports, direction,
and rule options. For information about the Suricata Rules format, see
Rules Format.
$sel:statelessRulesAndCustomActions:RulesSource', rulesSource_statelessRulesAndCustomActions - Stateless inspection criteria to be used in a stateless rule group.
rulesSource_rulesSourceList :: Lens' RulesSource (Maybe RulesSourceList) Source #
Stateful inspection criteria for a domain list rule group.
rulesSource_rulesString :: Lens' RulesSource (Maybe Text) Source #
Stateful inspection criteria, provided in Suricata compatible intrusion prevention system (IPS) rules. Suricata is an open-source network IPS that includes a standard rule-based language for network traffic inspection.
These rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.
rulesSource_statefulRules :: Lens' RulesSource (Maybe [StatefulRule]) Source #
An array of individual stateful rules inspection criteria to be used
together in a stateful rule group. Use this option to specify simple
Suricata rules with protocol, source and destination, ports, direction,
and rule options. For information about the Suricata Rules format, see
Rules Format.
rulesSource_statelessRulesAndCustomActions :: Lens' RulesSource (Maybe StatelessRulesAndCustomActions) Source #
Stateless inspection criteria to be used in a stateless rule group.
RulesSourceList
data RulesSourceList Source #
Stateful inspection criteria for a domain list rule group.
For HTTPS traffic, domain filtering is SNI-based. It uses the server name indicator extension of the TLS handshake.
By default, Network Firewall domain list inspection only includes
traffic coming from the VPC where you deploy the firewall. To inspect
traffic from IP addresses outside of the deployment VPC, you set the
HOME_NET rule variable to include the CIDR range of the deployment VPC
plus the other CIDR ranges. For more information, see RuleVariables in
this guide and
Stateful domain list rule groups in Network Firewall
in the Network Firewall Developer Guide.
See: newRulesSourceList smart constructor.
Constructors
| RulesSourceList' | |
Fields
| |
Instances
Create a value of RulesSourceList with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:targets:RulesSourceList', rulesSourceList_targets - The domains that you want to inspect for in your traffic flows. Valid
domain specifications are the following:
- Explicit names. For example,
abc.example.commatches only the domainabc.example.com. - Names that use a domain wildcard, which you indicate with an initial
'
.'. For example,.example.commatchesexample.comand matches all subdomains ofexample.com, such asabc.example.comandwww.example.com.
$sel:targetTypes:RulesSourceList', rulesSourceList_targetTypes - The protocols you want to inspect. Specify TLS_SNI for HTTPS.
Specify HTTP_HOST for HTTP. You can specify either or both.
$sel:generatedRulesType:RulesSourceList', rulesSourceList_generatedRulesType - Whether you want to allow or deny access to the domains in your target
list.
rulesSourceList_targets :: Lens' RulesSourceList [Text] Source #
The domains that you want to inspect for in your traffic flows. Valid domain specifications are the following:
- Explicit names. For example,
abc.example.commatches only the domainabc.example.com. - Names that use a domain wildcard, which you indicate with an initial
'
.'. For example,.example.commatchesexample.comand matches all subdomains ofexample.com, such asabc.example.comandwww.example.com.
rulesSourceList_targetTypes :: Lens' RulesSourceList [TargetType] Source #
The protocols you want to inspect. Specify TLS_SNI for HTTPS.
Specify HTTP_HOST for HTTP. You can specify either or both.
rulesSourceList_generatedRulesType :: Lens' RulesSourceList GeneratedRulesType Source #
Whether you want to allow or deny access to the domains in your target list.
SourceMetadata
data SourceMetadata Source #
High-level information about the managed rule group that your own rule group is copied from. You can use the the metadata to track version updates made to the originating rule group. You can retrieve all objects for a rule group by calling DescribeRuleGroup.
See: newSourceMetadata smart constructor.
Constructors
| SourceMetadata' | |
Fields
| |
Instances
newSourceMetadata :: SourceMetadata Source #
Create a value of SourceMetadata with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:sourceArn:SourceMetadata', sourceMetadata_sourceArn - The Amazon Resource Name (ARN) of the rule group that your own rule
group is copied from.
$sel:sourceUpdateToken:SourceMetadata', sourceMetadata_sourceUpdateToken - The update token of the Amazon Web Services managed rule group that your
own rule group is copied from. To determine the update token for the
managed rule group, call
DescribeRuleGroup.
sourceMetadata_sourceArn :: Lens' SourceMetadata (Maybe Text) Source #
The Amazon Resource Name (ARN) of the rule group that your own rule group is copied from.
sourceMetadata_sourceUpdateToken :: Lens' SourceMetadata (Maybe Text) Source #
The update token of the Amazon Web Services managed rule group that your own rule group is copied from. To determine the update token for the managed rule group, call DescribeRuleGroup.
StatefulEngineOptions
data StatefulEngineOptions Source #
Configuration settings for the handling of the stateful rule groups in a firewall policy.
See: newStatefulEngineOptions smart constructor.
Constructors
| StatefulEngineOptions' | |
Fields
| |
Instances
newStatefulEngineOptions :: StatefulEngineOptions Source #
Create a value of StatefulEngineOptions with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:ruleOrder:StatefulEngineOptions', statefulEngineOptions_ruleOrder - Indicates how to manage the order of stateful rule evaluation for the
policy. DEFAULT_ACTION_ORDER is the default behavior. Stateful rules
are provided to the rule engine as Suricata compatible strings, and
Suricata evaluates them based on certain settings. For more information,
see
Evaluation order for stateful rules
in the Network Firewall Developer Guide.
$sel:streamExceptionPolicy:StatefulEngineOptions', statefulEngineOptions_streamExceptionPolicy - Configures how Network Firewall processes traffic when a network
connection breaks midstream. Network connections can break due to
disruptions in external networks or within the firewall itself.
DROP- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop httptraffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:statelessrule would still match, as would theaws:drop_strictdefault action.
statefulEngineOptions_ruleOrder :: Lens' StatefulEngineOptions (Maybe RuleOrder) Source #
Indicates how to manage the order of stateful rule evaluation for the
policy. DEFAULT_ACTION_ORDER is the default behavior. Stateful rules
are provided to the rule engine as Suricata compatible strings, and
Suricata evaluates them based on certain settings. For more information,
see
Evaluation order for stateful rules
in the Network Firewall Developer Guide.
statefulEngineOptions_streamExceptionPolicy :: Lens' StatefulEngineOptions (Maybe StreamExceptionPolicy) Source #
Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.
DROP- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop httptraffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:statelessrule would still match, as would theaws:drop_strictdefault action.
StatefulRule
data StatefulRule Source #
A single Suricata rules specification, for use in a stateful rule group.
Use this option to specify a simple Suricata rule with protocol, source
and destination, ports, direction, and rule options. For information
about the Suricata Rules format, see
Rules Format.
See: newStatefulRule smart constructor.
Constructors
| StatefulRule' | |
Fields
| |
Instances
Arguments
| :: StatefulAction | |
| -> Header | |
| -> StatefulRule |
Create a value of StatefulRule with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:action:StatefulRule', statefulRule_action - Defines what Network Firewall should do with the packets in a traffic
flow when the flow matches the stateful rule criteria. For all actions,
Network Firewall performs the specified action and discontinues stateful
inspection of the traffic flow.
The actions for a stateful rule are defined as follows:
- PASS - Permits the packets to go to the intended destination.
- DROP - Blocks the packets from going to the intended destination and sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration.
ALERT - Permits the packets to go to the intended destination and sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration.
You can use this action to test a rule that you intend to use to drop traffic. You can enable the rule with
ALERTaction, verify in the logs that the rule is filtering as you want, then change the action toDROP.
$sel:header:StatefulRule', statefulRule_header - The stateful inspection criteria for this rule, used to inspect traffic
flows.
$sel:ruleOptions:StatefulRule', statefulRule_ruleOptions - Additional options for the rule. These are the Suricata RuleOptions
settings.
statefulRule_action :: Lens' StatefulRule StatefulAction Source #
Defines what Network Firewall should do with the packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow.
The actions for a stateful rule are defined as follows:
- PASS - Permits the packets to go to the intended destination.
- DROP - Blocks the packets from going to the intended destination and sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration.
ALERT - Permits the packets to go to the intended destination and sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration.
You can use this action to test a rule that you intend to use to drop traffic. You can enable the rule with
ALERTaction, verify in the logs that the rule is filtering as you want, then change the action toDROP.
statefulRule_header :: Lens' StatefulRule Header Source #
The stateful inspection criteria for this rule, used to inspect traffic flows.
statefulRule_ruleOptions :: Lens' StatefulRule [RuleOption] Source #
Additional options for the rule. These are the Suricata RuleOptions
settings.
StatefulRuleGroupOverride
data StatefulRuleGroupOverride Source #
The setting that allows the policy owner to change the behavior of the rule group within a policy.
See: newStatefulRuleGroupOverride smart constructor.
Constructors
| StatefulRuleGroupOverride' | |
Fields
| |
Instances
newStatefulRuleGroupOverride :: StatefulRuleGroupOverride Source #
Create a value of StatefulRuleGroupOverride with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:action:StatefulRuleGroupOverride', statefulRuleGroupOverride_action - The action that changes the rule group from DROP to ALERT. This only
applies to managed rule groups.
statefulRuleGroupOverride_action :: Lens' StatefulRuleGroupOverride (Maybe OverrideAction) Source #
The action that changes the rule group from DROP to ALERT. This only
applies to managed rule groups.
StatefulRuleGroupReference
data StatefulRuleGroupReference Source #
Identifier for a single stateful rule group, used in a firewall policy to refer to a rule group.
See: newStatefulRuleGroupReference smart constructor.
Constructors
| StatefulRuleGroupReference' | |
Fields
| |
Instances
newStatefulRuleGroupReference Source #
Create a value of StatefulRuleGroupReference with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:override:StatefulRuleGroupReference', statefulRuleGroupReference_override - The action that allows the policy owner to override the behavior of the
rule group within a policy.
$sel:priority:StatefulRuleGroupReference', statefulRuleGroupReference_priority - An integer setting that indicates the order in which to run the stateful
rule groups in a single FirewallPolicy. This setting only applies to
firewall policies that specify the STRICT_ORDER rule order in the
stateful engine options settings.
Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
$sel:resourceArn:StatefulRuleGroupReference', statefulRuleGroupReference_resourceArn - The Amazon Resource Name (ARN) of the stateful rule group.
statefulRuleGroupReference_override :: Lens' StatefulRuleGroupReference (Maybe StatefulRuleGroupOverride) Source #
The action that allows the policy owner to override the behavior of the rule group within a policy.
statefulRuleGroupReference_priority :: Lens' StatefulRuleGroupReference (Maybe Natural) Source #
An integer setting that indicates the order in which to run the stateful
rule groups in a single FirewallPolicy. This setting only applies to
firewall policies that specify the STRICT_ORDER rule order in the
stateful engine options settings.
Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
statefulRuleGroupReference_resourceArn :: Lens' StatefulRuleGroupReference Text Source #
The Amazon Resource Name (ARN) of the stateful rule group.
StatefulRuleOptions
data StatefulRuleOptions Source #
Additional options governing how Network Firewall handles the rule group. You can only use these for stateful rule groups.
See: newStatefulRuleOptions smart constructor.
Constructors
| StatefulRuleOptions' | |
Fields
| |
Instances
newStatefulRuleOptions :: StatefulRuleOptions Source #
Create a value of StatefulRuleOptions with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:ruleOrder:StatefulRuleOptions', statefulRuleOptions_ruleOrder - Indicates how to manage the order of the rule evaluation for the rule
group. DEFAULT_ACTION_ORDER is the default behavior. Stateful rules
are provided to the rule engine as Suricata compatible strings, and
Suricata evaluates them based on certain settings. For more information,
see
Evaluation order for stateful rules
in the Network Firewall Developer Guide.
statefulRuleOptions_ruleOrder :: Lens' StatefulRuleOptions (Maybe RuleOrder) Source #
Indicates how to manage the order of the rule evaluation for the rule
group. DEFAULT_ACTION_ORDER is the default behavior. Stateful rules
are provided to the rule engine as Suricata compatible strings, and
Suricata evaluates them based on certain settings. For more information,
see
Evaluation order for stateful rules
in the Network Firewall Developer Guide.
StatelessRule
data StatelessRule Source #
A single stateless rule. This is used in StatelessRulesAndCustomActions.
See: newStatelessRule smart constructor.
Constructors
| StatelessRule' | |
Fields
| |
Instances
Arguments
| :: RuleDefinition | |
| -> Natural | |
| -> StatelessRule |
Create a value of StatelessRule with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:ruleDefinition:StatelessRule', statelessRule_ruleDefinition - Defines the stateless 5-tuple packet inspection criteria and the action
to take on a packet that matches the criteria.
$sel:priority:StatelessRule', statelessRule_priority - Indicates the order in which to run this rule relative to all of the
rules that are defined for a stateless rule group. Network Firewall
evaluates the rules in a rule group starting with the lowest priority
setting. You must ensure that the priority settings are unique for the
rule group.
Each stateless rule group uses exactly one
StatelessRulesAndCustomActions object, and each
StatelessRulesAndCustomActions contains exactly one StatelessRules
object. To ensure unique priority settings for your rule groups, set
unique priorities for the stateless rules that you define inside any
single StatelessRules object.
You can change the priority settings of your rules at any time. To make it easier to insert rules later, number them so there's a wide range in between, for example use 100, 200, and so on.
statelessRule_ruleDefinition :: Lens' StatelessRule RuleDefinition Source #
Defines the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria.
statelessRule_priority :: Lens' StatelessRule Natural Source #
Indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. Network Firewall evaluates the rules in a rule group starting with the lowest priority setting. You must ensure that the priority settings are unique for the rule group.
Each stateless rule group uses exactly one
StatelessRulesAndCustomActions object, and each
StatelessRulesAndCustomActions contains exactly one StatelessRules
object. To ensure unique priority settings for your rule groups, set
unique priorities for the stateless rules that you define inside any
single StatelessRules object.
You can change the priority settings of your rules at any time. To make it easier to insert rules later, number them so there's a wide range in between, for example use 100, 200, and so on.
StatelessRuleGroupReference
data StatelessRuleGroupReference Source #
Identifier for a single stateless rule group, used in a firewall policy to refer to the rule group.
See: newStatelessRuleGroupReference smart constructor.
Constructors
| StatelessRuleGroupReference' | |
Fields
| |
Instances
newStatelessRuleGroupReference Source #
Arguments
| :: Text | |
| -> Natural | |
| -> StatelessRuleGroupReference |
Create a value of StatelessRuleGroupReference with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:resourceArn:StatelessRuleGroupReference', statelessRuleGroupReference_resourceArn - The Amazon Resource Name (ARN) of the stateless rule group.
$sel:priority:StatelessRuleGroupReference', statelessRuleGroupReference_priority - An integer setting that indicates the order in which to run the
stateless rule groups in a single FirewallPolicy. Network Firewall
applies each stateless rule group to a packet starting with the group
that has the lowest priority setting. You must ensure that the priority
settings are unique within each policy.
statelessRuleGroupReference_resourceArn :: Lens' StatelessRuleGroupReference Text Source #
The Amazon Resource Name (ARN) of the stateless rule group.
statelessRuleGroupReference_priority :: Lens' StatelessRuleGroupReference Natural Source #
An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
StatelessRulesAndCustomActions
data StatelessRulesAndCustomActions Source #
Stateless inspection criteria. Each stateless rule group uses exactly one of these data types to define its stateless rules.
See: newStatelessRulesAndCustomActions smart constructor.
Constructors
| StatelessRulesAndCustomActions' | |
Fields
| |
Instances
newStatelessRulesAndCustomActions :: StatelessRulesAndCustomActions Source #
Create a value of StatelessRulesAndCustomActions with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:customActions:StatelessRulesAndCustomActions', statelessRulesAndCustomActions_customActions - Defines an array of individual custom action definitions that are
available for use by the stateless rules in this
StatelessRulesAndCustomActions specification. You name each custom
action that you define, and then you can use it by name in your
StatelessRule RuleDefinition Actions specification.
$sel:statelessRules:StatelessRulesAndCustomActions', statelessRulesAndCustomActions_statelessRules - Defines the set of stateless rules for use in a stateless rule group.
statelessRulesAndCustomActions_customActions :: Lens' StatelessRulesAndCustomActions (Maybe [CustomAction]) Source #
Defines an array of individual custom action definitions that are
available for use by the stateless rules in this
StatelessRulesAndCustomActions specification. You name each custom
action that you define, and then you can use it by name in your
StatelessRule RuleDefinition Actions specification.
statelessRulesAndCustomActions_statelessRules :: Lens' StatelessRulesAndCustomActions [StatelessRule] Source #
Defines the set of stateless rules for use in a stateless rule group.
SubnetMapping
data SubnetMapping Source #
The ID for a subnet that you want to associate with the firewall. This is used with CreateFirewall and AssociateSubnets. Network Firewall creates an instance of the associated firewall in each subnet that you specify, to filter traffic in the subnet's Availability Zone.
See: newSubnetMapping smart constructor.
Constructors
| SubnetMapping' | |
Instances
Arguments
| :: Text | |
| -> SubnetMapping |
Create a value of SubnetMapping with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:subnetId:SubnetMapping', subnetMapping_subnetId - The unique identifier for the subnet.
subnetMapping_subnetId :: Lens' SubnetMapping Text Source #
The unique identifier for the subnet.
SyncState
The status of the firewall endpoint and firewall policy configuration for a single VPC subnet.
For each VPC subnet that you associate with a firewall, Network Firewall does the following:
- Instantiates a firewall endpoint in the subnet, ready to take traffic.
- Configures the endpoint with the current firewall policy settings, to provide the filtering behavior for the endpoint.
When you update a firewall, for example to add a subnet association or change a rule group in the firewall policy, the affected sync states reflect out-of-sync or not ready status until the changes are complete.
See: newSyncState smart constructor.
Constructors
| SyncState' | |
Fields
| |
Instances
| FromJSON SyncState Source # | |
| Generic SyncState Source # | |
| Read SyncState Source # | |
| Show SyncState Source # | |
| NFData SyncState Source # | |
Defined in Amazonka.NetworkFirewall.Types.SyncState | |
| Eq SyncState Source # | |
| Hashable SyncState Source # | |
Defined in Amazonka.NetworkFirewall.Types.SyncState | |
| type Rep SyncState Source # | |
Defined in Amazonka.NetworkFirewall.Types.SyncState type Rep SyncState = D1 ('MetaData "SyncState" "Amazonka.NetworkFirewall.Types.SyncState" "amazonka-network-firewall-2.0-4y6HybZBSNcEwGPO5AYVfm" 'False) (C1 ('MetaCons "SyncState'" 'PrefixI 'True) (S1 ('MetaSel ('Just "attachment") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe Attachment)) :*: S1 ('MetaSel ('Just "config") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe (HashMap Text PerObjectStatus))))) | |
newSyncState :: SyncState Source #
Create a value of SyncState with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:attachment:SyncState', syncState_attachment - The attachment status of the firewall's association with a single VPC
subnet. For each configured subnet, Network Firewall creates the
attachment by instantiating the firewall endpoint in the subnet so that
it's ready to take traffic. This is part of the FirewallStatus.
$sel:config:SyncState', syncState_config - The configuration status of the firewall endpoint in a single VPC
subnet. Network Firewall provides each endpoint with the rules that are
configured in the firewall policy. Each time you add a subnet or modify
the associated firewall policy, Network Firewall synchronizes the rules
in the endpoint, so it can properly filter network traffic. This is part
of the FirewallStatus.
syncState_attachment :: Lens' SyncState (Maybe Attachment) Source #
The attachment status of the firewall's association with a single VPC subnet. For each configured subnet, Network Firewall creates the attachment by instantiating the firewall endpoint in the subnet so that it's ready to take traffic. This is part of the FirewallStatus.
syncState_config :: Lens' SyncState (Maybe (HashMap Text PerObjectStatus)) Source #
The configuration status of the firewall endpoint in a single VPC subnet. Network Firewall provides each endpoint with the rules that are configured in the firewall policy. Each time you add a subnet or modify the associated firewall policy, Network Firewall synchronizes the rules in the endpoint, so it can properly filter network traffic. This is part of the FirewallStatus.
TCPFlagField
data TCPFlagField Source #
TCP flags and masks to inspect packets for, used in stateless rules MatchAttributes settings.
See: newTCPFlagField smart constructor.
Constructors
| TCPFlagField' | |
Fields
| |
Instances
newTCPFlagField :: TCPFlagField Source #
Create a value of TCPFlagField with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:masks:TCPFlagField', tCPFlagField_masks - The set of flags to consider in the inspection. To inspect all flags in
the valid values list, leave this with no setting.
$sel:flags:TCPFlagField', tCPFlagField_flags - Used in conjunction with the Masks setting to define the flags that
must be set and flags that must not be set in order for the packet to
match. This setting can only specify values that are also specified in
the Masks setting.
For the flags that are specified in the masks setting, the following must be true for the packet to match:
- The ones that are set in this flags setting must be set in the packet.
- The ones that are not set in this flags setting must also not be set in the packet.
tCPFlagField_masks :: Lens' TCPFlagField (Maybe [TCPFlag]) Source #
The set of flags to consider in the inspection. To inspect all flags in the valid values list, leave this with no setting.
tCPFlagField_flags :: Lens' TCPFlagField [TCPFlag] Source #
Used in conjunction with the Masks setting to define the flags that
must be set and flags that must not be set in order for the packet to
match. This setting can only specify values that are also specified in
the Masks setting.
For the flags that are specified in the masks setting, the following must be true for the packet to match:
- The ones that are set in this flags setting must be set in the packet.
- The ones that are not set in this flags setting must also not be set in the packet.
Tag
A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each Amazon Web Services resource.
See: newTag smart constructor.
Constructors
| Tag' | |
Fields
| |
Instances
| FromJSON Tag Source # | |
| ToJSON Tag Source # | |
Defined in Amazonka.NetworkFirewall.Types.Tag | |
| Generic Tag Source # | |
| Read Tag Source # | |
| Show Tag Source # | |
| NFData Tag Source # | |
Defined in Amazonka.NetworkFirewall.Types.Tag | |
| Eq Tag Source # | |
| Hashable Tag Source # | |
Defined in Amazonka.NetworkFirewall.Types.Tag | |
| type Rep Tag Source # | |
Defined in Amazonka.NetworkFirewall.Types.Tag type Rep Tag = D1 ('MetaData "Tag" "Amazonka.NetworkFirewall.Types.Tag" "amazonka-network-firewall-2.0-4y6HybZBSNcEwGPO5AYVfm" 'False) (C1 ('MetaCons "Tag'" 'PrefixI 'True) (S1 ('MetaSel ('Just "key") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text) :*: S1 ('MetaSel ('Just "value") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text))) | |
Create a value of Tag with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:key:Tag', tag_key - The part of the key:value pair that defines a tag. You can use a tag key
to describe a category of information, such as "customer." Tag keys
are case-sensitive.
$sel:value:Tag', tag_value - The part of the key:value pair that defines a tag. You can use a tag
value to describe a specific value within a category, such as
"companyA" or "companyB." Tag values are case-sensitive.